TIBCO Log Management Intelligence User Guide

TIBCO Log Management Intelligence User Guide
Add to My manuals

Below you will find brief information for Log Management Intelligence. LogLogic provides the industry’s first enterprise class, end-to-end log management solution. Using LogLogic log management solutions, IT organizations can analyze and archive network log data for the purpose of compliance and legal protection, decision support for network security remediation, and increased network performance and improved availability. LogLogic log management Appliances simplify, automate, and reduce the cost of log data aggregation and retention, eliminating the need for servers, tape libraries, and archival administrators.

advertisement

Assistant Bot

Need help? Our chatbot has already read the manual and is ready to assist you. Feel free to ask any questions about the device, but providing details will make the conversation more productive.

Log Management Intelligence User Guide | Manualzz

TIBCO LogLogic®

Log Management Intelligence (LMI)

User Guide

Software Release 5.6.3

January 2016

Two-Second Advantage

®

Important Information

SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED OR BUNDLED

TIBCO SOFTWARE IS SOLELY TO ENABLE THE FUNCTIONALITY (OR PROVIDE LIMITED ADD-ON FUNCTIONALITY) OF

THE LICENSED TIBCO SOFTWARE. THE EMBEDDED OR BUNDLED SOFTWARE IS NOT LICENSED TO BE USED OR

ACCESSED BY ANY OTHER TIBCO SOFTWARE OR FOR ANY OTHER PURPOSE.

USE OF TIBCO SOFTWARE AND THIS DOCUMENT IS SUBJECT TO THE TERMS AND CONDITIONS OF A LICENSE

AGREEMENT FOUND IN EITHER A SEPARATELY EXECUTED SOFTWARE LICENSE AGREEMENT, OR, IF THERE IS NO

SUCH SEPARATE AGREEMENT, THE CLICKWRAP END USER LICENSE AGREEMENT WHICH IS DISPLAYED DURING

DOWNLOAD OR INSTALLATION OF THE SOFTWARE (AND WHICH IS DUPLICATED IN THE LICENSE FILE) OR IF THERE

IS NO SUCH SOFTWARE LICENSE AGREEMENT OR CLICKWRAP END USER LICENSE AGREEMENT, THE LICENSE(S)

LOCATED IN THE “LICENSE” FILE(S) OF THE SOFTWARE. USE OF THIS DOCUMENT IS SUBJECT TO THOSE TERMS AND

CONDITIONS, AND YOUR USE HEREOF SHALL CONSTITUTE ACCEPTANCE OF AND AN AGREEMENT TO BE BOUND BY

THE SAME.

This document contains confidential information that is subject to U.S. and international copyright laws and treaties. No part of this document may be reproduced in any form without the written authorization of TIBCO Software Inc.

TIBCO, Two-Second Advantage, and LogLogic are either registered trademarks or trademarks of TIBCO Software Inc. in the United

States and/or other countries.

All other product and company names and marks mentioned in this document are the property of their respective owners and are mentioned for identification purposes only.

THIS SOFTWARE MAY BE AVAILABLE ON MULTIPLE OPERATING SYSTEMS. HOWEVER, NOT ALL OPERATING SYSTEM

PLATFORMS FOR A SPECIFIC SOFTWARE VERSION ARE RELEASED AT THE SAME TIME. SEE THE README FILE FOR THE

AVAILABILITY OF THIS SOFTWARE VERSION ON A SPECIFIC OPERATING SYSTEM PLATFORM.

THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,

INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR

PURPOSE, OR NON-INFRINGEMENT.

THIS DOCUMENT COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE

PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESE CHANGES WILL BE INCORPORATED IN NEW EDITIONS

OF THIS DOCUMENT. TIBCO SOFTWARE INC. MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S)

AND/OR THE PROGRAM(S) DESCRIBED IN THIS DOCUMENT AT ANY TIME.

THE CONTENTS OF THIS DOCUMENT MAY BE MODIFIED AND/OR QUALIFIED, DIRECTLY OR INDIRECTLY, BY OTHER

DOCUMENTATION WHICH ACCOMPANIES THIS SOFTWARE, INCLUDING BUT NOT LIMITED TO ANY RELEASE NOTES

AND "READ ME" FILES.

Copyright © 2002-2016 TIBCO Software Inc. ALL RIGHTS RESERVED.

TIBCO Software Inc. Confidential Information

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Typographical Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

How to Join TIBCOmmunity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

How to Access TIBCO Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

How to Contact TIBCO Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Chapter 1 Using LogLogic Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

LogLogic Appliance Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Appliance User Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

LogLogic Product Families. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

LogLogic LX Product Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

LogLogic MX Product Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

LogLogic ST Product Family. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Scalable Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Chapter 2 Viewing Dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

Viewing System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Viewing Multiple Systems Status (Management Station) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Viewing Message Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Viewing CPU Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Viewing Log Source Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Viewing Unapproved Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Viewing Recent Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Viewing Log Source Data Trend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Managing Your Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Managing Widgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Defining your Dashboard Canvas Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Chapter 3 Viewing Real Time Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51

Accessing and Selecting Real Time Messages to View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Viewing Log Messages in Real Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Java Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

User Guide

|

3

4

| Contents

Modifying your Java settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Chapter 4 Searching Collected Log Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Search Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Using Index Search. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Search Expression Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Running an Index Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Using the Search Results Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Using the Search History Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Using the Search Filters Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Using the Clipboard Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Tag-Based Searches Using the Tag Picker Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Using Regular Expression Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Using Distributed Regular Expression Search. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Viewing Pending and Running Searches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Viewing RegEx Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Using Search Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Adding a Search Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Search Filter Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Putting Your Logins Search Filter to Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Adding Additional Parameters to a Pre-Defined Regular Expression Search Filter. . . . . . . . . . . . . . . . . . . . 91

Modifying a Search Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Viewing All Saved Index Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Using and Creating All Index Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Chapter 5 Creating and Managing Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Viewing and Handling Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Manage Alert Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Adding a New Alert Template Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Viewing and Modifying an Alert Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Removing an Alert Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Managing Alert Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Preconfigured System Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Adding a New Alert Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Parsed Data Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Modifying or Removing An Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Chapter 6 Generating Real-Time Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Preparing a Real-Time Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Generating a Report—An Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Available Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

User Guide

Contents |

5

Access Control Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Permission Modification Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

User Access Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

User Authentication Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

User Created/Deleted Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

User Last Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Windows Events Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Database Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

All Database Events Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Database Access Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Database Data Access Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Database Privilege Modifications Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Database System Modifications Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

IBM i5/OS Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

All Log Entry Types Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

System Object Access Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

User Access By Connection Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

User Actions Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

User Jobs Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Threat Management Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

IDS/IPS Activity Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Threat Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Configuration Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Scan Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Security Summary Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

DB IPS Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

HIPS Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Mail Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Exchange 2000/03 SMTP Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Exchange 2000/03 Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Exchange 2000/03 Delay Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Exchange 2000/03 Size Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Server Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Exchange 2007/10 Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Exchange 2007/10 Mail Size Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Network Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Accepted Connections Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Active FW Connections Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Active VPN Connections Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Application Distribution Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Denied Connections Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

FTP Connections Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

VPN Access Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

VPN Sessions Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

User Guide

6

| Contents

VPN Top Lists Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Web Cache Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Web Surfing Activity Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

DHCP Activity Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

DHCP Granted/Renewed Activity Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

DHCP Denied Activity Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

NAT64 Activity Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Operational Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

All Unparsed Events Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Firewall Statistics Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Total Message Count Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Security Events Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

System Events Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

VPN Events Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Policy Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Check Point Policies Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Network Policies Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Rules/Policies Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

ECM Policy Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Enterprise Content Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

ECM Activity Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Content Management Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Security Settings Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Expiration and Disposition Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

HP NonStop Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Configuration Changes Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Failed and Successful Logins Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Object Changes Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

HP NonStop Audit Activity Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

User Actions Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Object Access Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

IBM z/OS Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Resource Access Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Security Modifications Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

System Access/Configuration Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Unix System Services Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Login/Logout Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Violation Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Storage Systems Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Filer Access Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Flow Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Application Usage Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

User Browsing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

User Guide

Contents |

7

Top Users Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

All Saved Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

Chapter 7 Setting User Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229

Viewing Your LogApp Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Changing Login Landing Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Changing LogApp Account Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Appendix A Syslog Host Field Character Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233

Syslog Header Character Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

User Guide

8

| Contents

User Guide

Preface

The LogLogic User Guide is an operational guide for LogLogic Appliances. It covers topics related to managing dashboards, reports, alerts, and performing searches to manage and use the log data collected and aggregated from all types of source systems in your enterprise.

|

9

Topics

Related Documents on page 10

Typographical Conventions on page 11

Technical Support on page 13

User Guide

10

| Related Documents

Related Documents

The LogLogic documentation is available on the TIBCO Product Documentation website — https://docs.tibco.com/products/a_z_products .

The following documents contain information about the LogLogic Appliances:

LogLogic Release Notes — Provides information specific to the release including

product information, new features and functionality, resolved issues, known issues and any late-breaking information. Check the LogLogic Customer

Support Website periodically for further updates.

LogLogic Hardware Installation Guide — Describes how to get started with your

LogLogic Appliance. In addition, the guide includes details about the

Appliance hardware for all models.

LogLogic Configuration and Upgrade Guide — Describes how to install and

upgrade the LogLogic Appliance software.

LogLogic User Guide — Describes how to use the LogLogic solution, viewing

dashboard, managing reports, managing alerts, and performing searches.

LogLogic Administration Guide — Describes how to administer the LogLogic

solution including all Management and Administration menu options.

LogLogic Log Source Configuration Guide — Describe how to support log data

from various log sources. There is a separate manual for each supported log source. These documents include documentation on LogLogic Collectors as well as documentation on how to configure log sources to work with the

LogLogic solution.

LogLogic Collector Guides — Describe how to implement support for using a

LogLogic Collector for specific log sources such as IBM i5/OS and ISS Site

Protector.

LogLogic Web Services API Implementation Guide — Describes how to

implement the LogLogic Web Services APIs to manage reports, manage alerts, perform searches, and administrate the system.

LogLogic Syslog Alert Message Format Quick Reference Guide — Describes the

LogLogic Syslog alert message format.

LogLogic Enterprise Virtual Appliance Quick Start Guide— Provides instructions

on how to quickly set up the TIBCO Enterprise Virtual Appliance.

LogLogic Log Source Report Mapping Guide — Provides provides a set of tables

listing Log Source Reports by Device Type, sorted by UI Category.

LogLogic Online Help — Describes the Appliance user interface, including

descriptions for each screen, tab, and element in the Appliance.

User Guide

Preface |

11

Typographical Conventions

The following typographical conventions are used in this manual.

Table 1 General Typographical Conventions

Convention

ENV_NAME

TIBCO_HOME

<ProductAcron ym>_

HOME

Use

TIBCO products are installed into an installation environment. A product installed into an installation environment does not access components in other installation environments. Incompatible products and multiple instances of the same product must be installed into different installation environments.

An installation environment consists of the following properties:

Name

Identifies the installation environment. This name is referenced in documentation as

ENV_NAME

. On Microsoft Windows, the name is appended to the name of Windows services created by the installer and is a component of the path to the product shortcut in the Windows Start > All

Programs menu.

Path

The folder into which the product is installed. This folder is referenced in documentation as

TIBCO_HOME

.

TIBCO <ProductName> installs into a directory within a

TIBCO_HOME

. This directory is referenced in documentation as

<

ProductAcronym

>_HOME

. The default value of

<

ProductAcronym

>_HOME

depends on the operating system.

For example on Windows systems, the default value is

C:\tibco\<ProductAcronym>\<ReleaseNumber>

.

code font

Code font identifies commands, code examples, filenames, pathnames, and output displayed in a command window. For example:

Use

MyCommand

to start the foo process.

bold code font

Bold code font is used in the following ways:

• In procedures, to indicate what a user types. For example: Type

admin

.

• In large code samples, to indicate the parts of the sample that are of particular interest.

• In command syntax, to indicate the default parameter for a command. For example, if no parameter is specified,

MyCommand

is enabled:

MyCommand [enable | disable]

User Guide

12

| Typographical Conventions

Table 1 General Typographical Conventions (Cont’d)

Convention

italic font

Use

Italic font is used in the following ways:

• To indicate a document title. For example: See TIBCO ActiveMatrix

BusinessWorks Concepts.

• To introduce new terms For example: A portal page may contain several portlets. Portlets are mini-applications that run in a portal.

• To indicate a variable in a command or code syntax that you must replace.

For example:

MyCommand

PathName

Key combinations

Key name separated by a plus sign indicate keys pressed simultaneously. For example: Ctrl+C.

Key names separated by a comma and space indicate keys pressed one after the other. For example: Esc, Ctrl+Q.

The note icon indicates information that is of special interest or importance, for example, an additional action required only in certain circumstances.

The tip icon indicates an idea that could be useful, for example, a way to apply the information provided in the current section to achieve a specific result.

The warning icon indicates the potential for a damaging situation, for example, data loss or corruption if certain steps are taken or not taken.

User Guide

Preface |

13

Technical Support

How to Join TIBCOmmunity

TIBCOmmunity is an online destination for TIBCO customers, partners, and resident experts. It is a place to share and access the collective experience of the

TIBCO community. TIBCOmmunity offers forums, blogs, and access to a variety of resources. To register, go to http://www.tibcommunity.com

.

How to Access TIBCO Documentation

You can access TIBCO documentation here: https://docs.tibco.com

How to Contact TIBCO Support

For comments or problems with this manual or the software it addresses, contact

TIBCO Support as follows:

• For an overview of TIBCO Support, and information about getting started with TIBCO Support, visit this site: http://www.tibco.com/services/support

• If you already have a valid maintenance or support contract, visit this site: https://support.tibco.com

User Guide

14

| Technical Support

User Guide

Chapter 1

Using LogLogic Appliances

Using LogLogic Appliances |

15

Topics

LogLogic Appliance Overview on page 16

Appliance User Functions on page 17

LogLogic Product Families on page 18

User Guide

16

| Chapter 1 Using LogLogic Appliances

LogLogic Appliance Overview

Log data can comprise up to 25 percent of all enterprise data. Log data also contains critical information that can improve security, compliance and availability. Until now most companies have relied on ineffective and inefficient homegrown solutions and manual processes to manage this data.

LogLogic provides the industry's first enterprise class, end-to-end log management solution. Using LogLogic log management solutions, IT organizations can analyze and archive network log data for the purpose of compliance and legal protection, decision support for network security remediation, and increased network performance and improved availability,

LogLogic log management Appliances simplify, automate, and reduce the cost of log data aggregation and retention, eliminating the need for servers, tape libraries, and archival administrators. If the network grows, simply rack and stack additional Appliances as needed.

User Guide

Appliance User Functions |

17

Appliance User Functions

There are two primary user types on a LogLogic Appliance:

• User – monitors Appliance operations, runs searches, manages alerts, and creates and runs reports based on collected data

• Administrator – configures and maintains the Appliance itself, including managing log sources, user accounts, Appliance configurations, running backups, and more

Depending on access permissions, a user can perform User functions,

Administrator functions, or both. This manual describes User tasks and functions.

For Administrator information, see the LogLogic Administration Guide.

Dashboard, Reports

, Search, and Alert functions can be opened by clicking their respective icons on the home page or by clicking their buttons on the top navigation menu on the home page.

Management

, and Administration functions for the Appliance are opened by clicking their buttons on the top menu on the home page. For more information on these functions, see LogLogic Administration Guide.

Online Help can be opened by clicking the Help button on any page. Brief video tutorials provide tips and guidance by example for many new LogLogic features.

Tutorials can be accessed from the home page and from certain application pages.

The Appliance GUI provides access to all Administrator and User functions.

Administrators can perform all functions on the Appliance, while Users are limited to functions that have been assigned to them the System Administrator.

The functions in the navigation menu vary depending on the Appliance product family. For example, an ST Appliance displays fewer options than the LX

Appliance because certain features are not available on ST Appliances. In addition, Reports may show different entries, depending on the Log Source

Packages (LSPs) installed.

For all text fields throughout the UI, null

is not a valid entry.

In addition to documentation, the LogLogic Appliance is supported by comprehensive, context-sensitive online Help, which can be opened from any UI page in the application. Clicking the question mark (?) opens Help for the particular tab that is highlighted. Clicking the word Help (above the question mark) opens the entire online Help repository, plus a Table of Contents, an Index, and a Search function within Help. Take a moment to explore Help to discover the rich content offered there.

User Guide

18

| Chapter 1 Using LogLogic Appliances

LogLogic Product Families

LogLogic offers four families of products to provide better, faster and smarter log management, database security, and regulatory compliance solutions to corporations:

• LogLogic LX Appliances are purpose-built Appliances for real-time log data collection and analysis. These Appliances slash response times to network security and utilization incidents, boost IT productivity, and reduce the corporate cost of security and performance event remediation.

• LogLogic MX Appliances perform real-time log data collection and analysis ideal for mid-size and large companies. These Appliances slash response times to network security and utilization incidents, boost IT productivity, and are optimized to provide for log data needs in a non-enterprise environment.

• LogLogic ST Appliances automate the entire log data archival process, minimizing administration costs while providing more secure log data capture and retention.

• LogLogic Appliances bring visibility of compliance activity metrics to CIOs and CSOs, and control over activities to the compliance team, permitting them to privatively review the compliance timeliness and compliance posture mandated by Sarbanes-Oxley (SOX) and Payment Card Industry Data

Security Standard (PCI-DSS).

LogLogic Appliances provide the highest log collection and analysis performance amongst all log management vendors. Log events are received and indexed in real-time. The LogLogic Appliances have clearly stated metrics that cannot be matched.

LogLogic LX Product Family

Featuring a parallel processing architecture, the Appliances centralize log data collection and retention by simultaneously processing raw log data and metalog data at any volume. Distributed real-time reporting and targeted queries let administrators take immediate action on network issues from a centralized management console.

These Appliances help enterprises harness the power of log data for a safer, more reliable network, while reducing corporate IT costs and providing rapid return on investment.

LX Benefits

LX product family Appliances offer the following benefits:

User Guide

LogLogic Product Families |

19

• Real-Time Reports, ad-hoc queries and fast drill downs to speed up identification, isolation and repair of security and network incidents

• Non-disruptive installation and plug-and-play operation: no changes to network configurations, no integration with other systems, no training required, available in minutes

• Self-maintaining, embedded database technology that eliminates the need for

DB administration

To view photographs of the LX Appliance layout, see the LogLogic Hardware

Installation Guide.

LogLogic MX Product Family

The Appliances centralize log data collection and retention by simultaneously processing raw log data and metalog data at any volume. Designed specifically for mid-size and large companies, MX Appliances provide the disk space and processing power required for most non-enterprise environments.

MX Appliance features support the need to harness the power of log data for a safer, more reliable network, while reducing corporate IT costs and providing rapid return on investment. MX Appliances are designed for installations where data must be retained longer than LX Appliances provide, but where enterprise features such as failover* and managing other log Appliances are not required.

MX Benefits

MX product family Appliances offer the following benefits:

• Real-Time Reports, ad-hoc queries and fast drill downs to speed up identification, isolation and repair of security and network incidents

• Features and specifications targeted specifically to mid-size and large companies

• Self-maintaining, embedded database technology that eliminates the need for

DB administration

To view photographs of the MX Appliance layout, see the LogLogic Hardware

Installation Guide.

LogLogic ST Product Family

Available in compact, rack-mountable systems with up to 8 terabytes of compressed on-board storage and interfaces to NAS devices, the ST Appliances archive up to 2 years of log data while eliminating the need for servers, tape libraries, and archive administrators.

User Guide

20

| Chapter 1 Using LogLogic Appliances

The ST SAN (Storage Area Network) product offers potentially unlimited archive storage.

When used with LogLogic's LX Appliances, ST Appliances guarantee complete and accurate transmission of network equipment logs from anywhere on the enterprise WAN or LAN. ST Appliances feature an n-Tier architecture controlled by a management console that centralizes long-term log data archival while allowing for distributed log analysis and broader data accessibility.

ST Benefits

ST product family Appliances offer the following benefits:

• High volume log data aggregation from centralized and remote log data sources

• Long-term retention of unaltered, complete, raw log messages at a secure, central location to make archives unimpeachable

• Distributed architecture of remote collection and central storage make log data collection and retention infinitely scalable

To view photographs of the ST Appliance layout, see the LogLogic Hardware

Installation Guide.

Scalable Infrastructure

The scalable LogLogic network infrastructure significantly accelerates response time to data center security and availability events, while providing complete log data archives for compliance and legal protection. LogLogic Appliances make log data in enterprise networks truly useful for the first time, improving corporate security, compliance and network availability, while reducing IT costs and costly network downtime, and improving corporate return on IT investment.

User Guide

Viewing Dashboards |

21

Chapter 2

Viewing Dashboards

LogLogic Appliances let you monitor a large variety of data to observe the system’s status and the widgets saved on your Dashboard.

Topics

Viewing System Status on page 22

Viewing Multiple Systems Status (Management Station) on page 27

Viewing Log Source Status on page 32

Viewing Log Source Data Trend on page 38

Managing Your Dashboard on page 39

User Guide

22

| Chapter 2 Viewing Dashboards

Viewing System Status

The System Status tab displays a condensed view of the Appliance's current state, showing current message rate, CPU utilization, database size, alerts, and total message counts.

After you log in to the Appliance, the System Status tab is the default display.

To view system status

1. Choose Dashboards > System Status from the navigation menu.

2. View the following sections on the System Status tab for information about your Appliance’s system status:

— Current Message Rate

— New Alerts

— Disk Usage

— CPU Usage

— Message Counters

Detailed descriptions for each section are documented in Table 2 on page 22

.

3. Click to expand or collapse a section to display an expanded or condensed version of the section’s status information.

4. Optionally, click the Message Rate tab for a larger view of this graph.

5. For more information, see

Viewing Message Rate on page 29

.

6. Optionally, click the CPU Usage graph or the CPU Usage tab for a larger version of this graph.

7. For more information, see

Viewing CPU Usage on page 30

.

8. Click the Refresh button to update the system status information for your

Appliance.

Table 2 System Status Tab Elements

Element

General information

Description

Uptime

Date/Time

Continuous running time since the last reboot of the Appliance.

Date and time set on the Appliance.

User Guide

Viewing System Status |

23

Table 2 System Status Tab Elements (Cont’d)

Element

Software Version

Description

LogLogic software release running on the Appliance.

Failover (not visible unless issues are present)

Status of the Management Station cluster’s master and standby

Appliances. If issues exist, they are indicated through flags:

• C: Cluster_id mismatch

• A: Appliance model mismatch

• V: Software version mismatch

• E: Eligible

• H: HA mode

• X: eXcluded

• O: Out-of-cluster

• M: Master

• S: Standby

For example, the failover status line Failover: master 10.1.4.6 (wait), standby 10.1.4.7 (flags:__V/EHX/O) means the master is waiting for the standby, and the standby is running the wrong software version, is configured for failover, is eligible for HA, but is excluded, and (as a result of the version mismatch) is out of cluster.

IMPORTANT!

Once two Appliances are HA paired, no network settings should be changed.

System Status sections

Current Message

Rate

Measured messages per second rate for the last 1, 5, and 15 minute time segments.

Click on the 1 MIN, 5 MIN, or 15 MIN headings links to change the Message Rate Graph time scale to 2 hour, 12 hour, and 24 hour time scales, respectively.

When using LogLogic TCP for routing logs to the Appliance, this graph displays spikes of activity every 5 minutes rather than a steadier line. This is because LogLogic TCP transfers data in regularly recurring chunks that are merged on the Appliance, and not continually.

User Guide

24

| Chapter 2 Viewing Dashboards

Table 2 System Status Tab Elements (Cont’d)

Element

Message Rate

Graph (Message

Rate tab)

Description

Recent message rate over 1, 5, and 15 minute time segments.

The

pink

line represents the average number of messages per time segment.

The

blue

line represents the real-time incoming message rate for your Appliance.

The

red

line appears when inbound traffic exceeds the preset threshold

Click the Message Rate tab for a larger view of this graph.

New Alerts

Disk Usage

(LX/MX only) Number of active alerts over 1, 6, and 12 hour periods categorized by priority.

Current size of the database usage relative to table space allocation. This can be helpful for calculating data retention time tables, by listing Free and Total available usage.

CPU Usage Current CPU utilization for the last 1, 5, and 15 minute time segments.

Click on the 1, 5, and 15 minute headings to change the CPU

Usage Graph time scale to 2, 12, and 24 hour time scales, respectively.

CPU Usage Graph Percent CPU utilization over 1, 5, and 15 minute time segments.

Click the CPU Usage Graph or the CPU Usage tab for a larger version of this graph.

User Guide

Viewing System Status |

25

Table 2 System Status Tab Elements (Cont’d)

Element Description

Message Counters Statistics on each message category stored in the Appliance since the last boot. The count corresponds to a percentage of the total number of messages received. This is useful in calculating data retention settings and maximum syslog message rates.

Message categories:

Total Received

—Total number of incoming messages for all categories.

Processed—Total number of messages received and parsed into the database.

Unapproved—Messages received from a log source that is not in the Manage Devices table. These messages are discarded. The most recent 100 messages are accessible from the Data Sources screen. (If auto-identify is on, all messages are auto-identified and no messages are unapproved.)

Skipped—Total number of messages ignored by the Appliance due to a syntactic flaw in the message.

Dropped—Total number of messages recognized but not processed due to network congestion or a corrupted syslog message.

The following appear only on LX and MX Appliances:

Total Parsed

—Total number of incoming messages parsed for all categories.

Accepted IP—Total number of messages indicating successful connections through the firewall. For example, PIX® Message

Numbers - 302013-302016.

Denied IP—Total number of messages indicating denied access by the firewall. For example, PIX Message Numbers - 106001,

106006, 106007, 106015, 106023.

Security—Total number of messages to be recorded in the

Security Event Log report.

System—Total number of messages to be recorded in the System

Event Log report.

Generic—Total number of flawed messages received from an approved source. These messages are discarded.

URL—Total number of messages to be recorded to the Web

Surfing Activity report.

FTP—Total number of messages to be recorded in the FTP

Connections report.

Auth/Access —Total number of messages to be recorded to the

VPN Events report.

User Guide

26

| Chapter 2 Viewing Dashboards

Table 2 System Status Tab Elements (Cont’d)

Element

Message Counters

(cont’d)

Description

Other—Any message that is not in included in the other listed categories.

Updates the system status information for your Appliance.

User Guide

Viewing Multiple Systems Status (Management Station) |

27

Viewing Multiple Systems Status (Management Station)

The Management Station System Status is the fastest way to view the condition and status of your Appliances as traffic flows through your system. You can use this information to provide for rapid reporting to the operations staff and acquire information about syslog messages at any particular time.

The System Status information uses a proprietary technology for optimizing and then collecting security data for immediate use. Administrators can monitor the

CPU usage when necessary to check on its congestion.

After you log in to the Appliance, the Dashboards > Management Station tab is the default display.

To view system status using a Management Station

1. Choose Dashboards > Management Station from the navigation menu.

2. View the following sections on the Management Station tab for information about an Appliance’s status:

— Message Statistics

— Message Rate

— New Alerts

— Message Counters

For detailed descriptions of each section, see Table 3 on page 27 .

3. Click the Refresh button.to view updated status information for the

Appliance.

Table 3 Management Station Screen Elements

Element

General information

Description

Software Version Management Station Appliance’s software version.

Displays the Help topic for this tab.

Management Station sections

User Guide

28

| Chapter 2 Viewing Dashboards

Table 3 Management Station Screen Elements (Cont’d)

Element

Appliances

Description

Lists the Appliances in your Management Station cluster.

To view the System Status for an Appliance, click its name.

A

green

square indicates the Appliance is online.

A

red

square indicates the Appliance is offline.

A blank square indicates the Appliance entry is being updated.

Message Statistics Displays the following message statistics:

Total, Processed, Dropped, Unapproved, and Skipped—Message processing information about each managed Appliance.

Click a number in these columns to change the displayed value to the nearest thousand, million, or billion value.

Message Rate/Sec—Message rate, per second, by time segments of 1, 5, and 15 minutes.

Click on the message rate values to set the Message Rate graph to

4, 12, and 24 hour timescales, respectively.

Time Skew—Time delta, in seconds, between the Management

Station Appliance and each remote Appliance.

Message Rate

Graph

New Alerts

Monitors the rate at which messages are passing through your

Appliance.

The Message Rate graph displays the current message rate by time segments of 1, 5, and 15 minutes. For example, 1 min – 100 msgs/sec. On ST Appliances, to the right of the minutes is the number of messages per second (xxx msgs/sec) for the Appliance.

xxx does not reflect the amount of messages that comes in via the

LogLogic TCP protocol.

The

pink

line represents the average number of messages per time segment.

The

blue

line represents the real-time incoming message rate for your Appliance.

The

red

line appears when inbound traffic exceeds the preset threshold

The number of activated alerts, by hour and priority (High,

Medium, Low, All).

Click an alert value to show the Aggregated LX or MX Alert Log.

User Guide

Viewing Multiple Systems Status (Management Station) |

29

Table 3 Management Station Screen Elements (Cont’d)

Element

Message

Counters

Description

Statistics on each message category stored in the syslog database.

The count corresponds to a percentage related to the total number of messages received. This is useful in calculating data retention settings and maximum syslog message rates.

The following is a list of message counters:

Total Received—Total number of incoming messages for all categories.

Processed—Total number of messages received and parsed into the database.

Skipped—Number of messages ignored by ClarifyCRM due to a syslog message syntactic flaw.

Unapproved—Messages received from a log source that is not in the Manage Devices table. These messages are discarded. The most recent 100 messages are accessible from the Data Sources screen. (If auto-identify is on, all messages are auto-identified and no messages are unapproved.)

Dropped—Messages recognized but not processed due to network congestion or faulty syntax.

Updates the system status information for your Appliance.

Viewing Message Rate

The Message Rate tab shows the number of messages processed by the Appliance over a 12-hour time period.

To view the message rate of the Appliance

1. Choose Dashboards > System Status from the navigation menu.

2. Click the Message Rate tab to view the Message Rate graph.

3. If you are viewing a larger version of the Message Rate graph, click the back and forward buttons to display the number of messages during a specific time segment.

For additional information about the graph, see

Table 4 on page 30

.

User Guide

30

| Chapter 2 Viewing Dashboards

4. Click the Refresh button to update the Message Rate graph.

Table 4 Message Rate Tab Elements

Element Description

Go back 12 hours.

Go back six hours.

Go forward 12 hours.

Go forward six hours.

Displays the corresponding Help topic.

Message Rate section

<

blue

line>

<

pink

line>

<

red

line>

Real-time message traffic which includes UDP syslog and/or raw TCP (SyslogNG) traffic.

Average rate of the incoming messages for the time segment shown.

Appears when inbound traffic exceeds the preset threshold

Updates the Message Rate graph.

Viewing CPU Usage

The CPU Usage tab contains a graph that shows CPU utilization as a percentage over a 12-hour time period.

To view the CPU usage

1. Choose Dashboards > System Status from the navigation menu.

2. View the CPU usage by doing one of the following in the System Status screen:

— View the small graph in the CPU Usage section.

— Click on the small graph in the CPU Usage section to view a larger version of the graph.

— Click the CPU Usage tab to view a larger version of the graph.

3. If you are viewing a larger version of the CPU Usage graph, click the back and forward buttons to display the number of messages during a specific time segment.

User Guide

Viewing Multiple Systems Status (Management Station) |

31

For additional information about the graph, see

Table 5 on page 31

.

4. Click the Refresh button to update the CPU Usage graph.

Table 5 CPU Usage Tab Elements

Element Description

Go back 12 hours.

Go back six hours.

Go forward 12 hours.

Go back 12 hours.

Displays the corresponding Help topic.

CPU Usage section

<

blue

line>

<

pink

line>

CPU usage in real time.

Average CPU percent utilization for the time segment shown. To see a larger version of the screen, click the CPU

Usage

tab.

Updates the

CPU Usage

graph

.

User Guide

32

| Chapter 2 Viewing Dashboards

Viewing Log Source Status

The Log Source Status tab lets you view statistics for each source device.

If during auto-discover a device has the same name as an existing device a random number will be appended to the source IP for this device.

To view the log source status

1. Choose Dashboards > Log Source Status from the navigation Menu.

2. View the following log status information for each source device:

— Name

— IP Address

— Type

— Collector Domain

— Total Message Count

— Byte Rate/Sec

— Description

For detailed descriptions of each item, see Table 6 on page 32 .

3. Click the Refresh button to update the view of your devices

.

4. Optionally, click to print all the items in the list

.

Log Source Status Descriptions

Table 6

lists and describes the elements in the Log Source Status tab.

Table 6 Log Source Status Tab Elements

Element Description

Saves the report in a CSV format. You should save the file and export it to an Excel spreadsheet for viewing.

Note

: The CSV file saves and displays a maximum of 10,000 lines.

A generated report can contain more than this number.

User Guide

Viewing Log Source Status |

33

Table 6 Log Source Status Tab Elements (Cont’d)

Element Description

Displays the report in HTML format in a new window. You can save the HTML file to your local machine.

Note:

The HTML file saves and displays a maximum of 5000 lines.

A generated report can contain more than this number.

Saves the report as a PDF file. You can save the PDF file to your local machine. Viewing the generated report as a PDF only works for Adobe Acrobat Reader version 6.0 and higher.

Note:

The PDF file saves and displays a maximum of 5000 lines even though the generated report may contain more than this number.

Click to print all the items in the list.

Click to display the corresponding Help topic.

• Displays the previous page of detail for the device list.

• Displays the next page of detail for the device list.

• To display details for a specific page, type a page number and click GO.

Note:

For certain pages that display this option, you can only view a set number of rows. To set the number of rows to view, use the Personal Preferences tab.

Log Source Status section (all of the following columns are sortable)

Name

IP Address

Type

Collector Domain

Name of your source device. The format for this field is <collector domain id>_<ip address>_ <device type> for example

1_10.10.10.10._windows.

IP address for your source device.

Type of source device.

This is the name used to identify each message sent from a specific device. This can either be the Collector Domain name added in the LogLogic Universal Collector or the name specified in the LMI when the device was added.

User Guide

34

| Chapter 2 Viewing Dashboards

Table 6 Log Source Status Tab Elements (Cont’d)

Element

Total Message

Count

Description

The following types of messages counts:

Total—Total number of messages processed for the specified device.

• 1 Min—Total number of incoming messages during the previous one minute period.

• 5 Min—Total number of incoming messages during the previous five minute period.

• 15 Min—Total number of incoming messages during the previous 15 minute period.

1 Min (Byte

Rate/Sec)

Description

Byte rate per second for each device during the previous one-minute period.

Description you defined for the Source Device in the

Management > Devices > Devices tab and Management >

Check Point Configuration > Interfaces

tab.

If you selected the Auto-identify Log Sources option in the

Administration > System Settings > General

tab, the system displays that the source device is an auto-identified log source.

Updates the view of your devices. If auto-identify is enabled and the Appliance detects new devices, refresh displays them in this view.

User Guide

Viewing Log Source Status |

35

Table 6 Log Source Status Tab Elements (Cont’d)

Element

Advanced Options

Description

By default, all these options are displayed:

• Name

• IP Address - supports /prefix length <0-32> for IPv4 and / prefix length <0-128> for IPv6. Available options include:

— equals - only returns the pattern entered

— not equals - returns everything but the entered pattern

— in - several patterns may be entered separated by a comma, all matches will be returned

— not in

— like - like behaves the same way as "in"

— not like

Note: The use of asterisks (*) is no longer supported.

• Type

• Collector Domain

• Total

• 1 Min

• 5 Min

• 15 Min

• 1 Min (Byte Rate/Sec)

• Description

Use the drop-down menu to view options in ascending or descending order.

Deletes all text in the Advanced Options text boxes.

Executes with the defined Advanced Options parameters.

Viewing Unapproved Messages

Use the Unapproved Messages tab to view information on up to 100 of the most recent real-time messages received from a recognized but unapproved source.

Unapproved messages are discarded.

User Guide

36

| Chapter 2 Viewing Dashboards

Summary data on unapproved messages can be seen from the Dashboards >

System Status tab.

Messages from logs routed using LogLogic TCP are not listed here because they are not treated as real-time messages.

To view unapproved messages

1. Choose Dashboards > Log Source Status from the navigation menu.

2. Click the Unapproved Messages tab.

3. This section contains the following elements.

Table 7 Unapproved Messages Tab Elements

Element

No.

Description

Number assigned to the message.

Time Time the message was received.

Firewall

Message

IP address of the Appliance through which the message was received.

Text of the message.

4. Click the Refresh button t o update the information

.

5. (Optional) Click to print all the messages in the list

.

Viewing Recent Messages

Use the Recent Messages tab to view information on up to 100 of the most recently-received real-time messages.

Messages from logs routed using LogLogic TCP are not listed here because they are not treated as real-time messages.

1. To view recent messages

2. Choose Dashboards > Log Source Status from the navigation menu.

3. Click the Recent Messages tab.

This section contains the following elements.

User Guide

Viewing Log Source Status |

37

Table 8 Recent Messages tab descriptions

Element

No.

Description

Number assigned to the message.

Time Time the message was received.

IP Address

Message

IP address of the Appliance through which the message was received.

Text of the message.

4. Click the Refresh button to update the information

.

5. (Optional) Click to print all the messages in the list

.

User Guide

38

| Chapter 2 Viewing Dashboards

Viewing Log Source Data Trend

The Log Source Data Trend tab displays the graphs of incoming Syslog Data rate in MB from all sources over the last 24 hours. The top graph displays Realtime

Logs, and the bottom graph shows File Transfer Logs. Log data that has been fully indexed is represented by blue bars; log data to be indexed is represented by orange bars. The bar graphs refresh once per minute.

To view log source data trend

1. Choose Dashboards > Log Source Data Trend from the navigation menu.

2. View the Syslog data from all sources within the last 24 hours as shown below.

User Guide

Managing Your Dashboard |

39

Managing Your Dashboard

The My Dashboard menu allows you to customize your Dashboard with visualizations, known as “widgets”, representing Report Results, Search Results,

Alerts, and Appliance performance. For example, If you have an Index Search showing web surfing activity within the Intranet, this data can be presented on your Dashboard using the Trend Graph widget, and refreshed periodically with recent data from an Index Search.

The system admin can specify the maximum number of widgets that can be displayed on your Dashboard using the Administration > System Settings >

General

tab.

It is possible to exceed the recommended number of widgets (10) on your My

Dashboard. However, graphical errors may result in the data displayed. Similarly, if you set the amount of data to be displayed inside each widget beyond the recommended value of 10, graphical errors may result.

Widget Types

You can create different types of widgets to add to your dashboard canvas. The different types are:

Summary

: Displays top 10 results from any Report saved with the

Summarized option. It also displays All Index Reports as well as Index

Searches that are grouped by option (except grouped by Time). For details, see

Managing Summary Widgets on page 41

.

Trend

: Displays a trend of Index Search hits occurring over a period of 1 day, 1 week or 1 month. For details, see

Managing Trend Widgets on page 44

.

Alerts

: Displays recent triggered alerts matching your specified filters. For

details, see Managing Alert Widgets on page 47 .

User Guide

40

| Chapter 2 Viewing Dashboards

System

: Displays Network and File based data ingest trends, Disk usage, and

CPU usage utilization. For details, see Managing System Widgets on page 49 .

1. The widget list is only populated by reports. Therefore, you must save a report before you can create a widget.

2. Imported Compliance Suites are templates and not reports. Hence, you need to save one in order to populate in the Widget list.

3. Widgets show data from time periods as specified (Once every few hours, Once a day, Once a week, and Once a month). The widget data is refreshed after the time period has completely passed. For example: If you specify Once a day time frame, and feed data at 2:17pm, the widget data will be refreshed after midnight.

Similarly, if you specify Once a week time frame, then the widget data will be refreshed after Sunday midnight.

4. Widget report is always executed according to its schedule. Only when a widget is first created, and added to dashboard, the widget report execute outside the schedule. Therefore, If you wish to modify a widget report schedule, first delete the widget, and then re-create a new widget with new schedule.

About My Dashboard

By default, the dashboard canvas displays some pre-configured widgets. The

Widgets

link enables you to add widgets to your dashboard. A new widget is always added on the upper left side on your dashboard canvas. If a widget is already added to the dashboard, you cannot add the same widget to the dashboard again. For detailed information about widgets, see

Managing Widgets on page 40

.

The NAS/SAN Disk Usage widget will display only on the ST Appliance.

To view your dashboard

1. Access Dashboards > My Dashboard from the navigation menu.

2. View your My Dashboard canvas as shown below.

Managing Widgets

The Dashboard is highly customizable with widgets and data of your selection.

The Widgets link allows you to view and add existing widgets to your dashboard, create new widgets, edit existing widgets settings, or remove widgets from the system.

User Guide

Managing Your Dashboard |

41

Using the drag-drop method, you can change the position of widgets on your

Dashboard. Click and drag the widgets title bar to move a widget to a new location on the canvas. You can also resize any widget by pulling the bottom side of the widget. The system automatically saves your latest widget positions with your LogLogic User Account.

Depending on the widget type, some widgets display different buttons on the upper right corner of the widget.

Table 9

lists and describes the widget buttons

Table 9 Widget buttons

Button Description

Shows the toolbar for that widget. Using this toolbar, you can view different presentation options of the selected report. For example, for Summary widget, you can choose to view Column chart, Bar chart or Table format.

Displays the widget in full screen view. If it is already in full screen view, this will restore the widget to normal size.

Displays the widget’s existing settings. Click the button to open the Edit widget settings window. This allows you to change the widget’s existing settings.

Removes the widget from your Dashboard. However, the widget is still available in the widget list to use on other dashboards.

Select the color of the widget ‘s graph from a color palette.

Note

: From the widget toolbar, this button is available only for certain widget types.

By default, widgets are created exclusively for your use. However, you can share your widgets with others by checking Shared option on the widget's settings screen. Sharing Report and Search widgets improves system performance, since the underlying data used for the visualization only needs to be created once for all

Dashboard views of the Widget.

Managing Summary Widgets

The summary widgets provides focused visualization of first 10 records returned from the underlying Saved Report query.

User Guide

42

| Chapter 2 Viewing Dashboards

If you click , the report displays more view options such as Column Chart, Bar

Chart, Table, Axis Label, and Drilldown. The Drilldown button takes you to the actual report page where you can run the report with the same log sources. The time frame on the widget is defined separately than the actual report’s time range.

Similarly, when a widget is shared and if you don’t have similar privileges as the widget owner, you may not be able to view the same data as displayed in the widget.

For more information on other widget buttons, see

Table 9 on page 41

.

To add an existing summary widget to your dashboard

If a widget is already added to the dashboard, you cannot add the same widget to the dashboard again.

1. Access Dashboards > My Dashboard > Widgets from the navigation menu.

2. Click the Summary icon. A list of existing summary widgets, if any, is displayed in the second pane.

3. Select the widget from the list. The widget’s settings are displayed for your review in the third pane.

4. Click the Add to Dashboard button to add the widget to your dashboard.

To create a new summary widget

To create a summary widget, you must have the Reporting privileges. For more information about privileges, see Managing Users in the LogLogic Administration

Guide

1. Access Dashboards > My Dashboard > Widgets from the navigation menu.

2. Click the Summary icon. A list of existing summary widgets, if any, is displayed in the second pane.

3. Click the Create New button to create a new widget. The new widget settings pane appears as shown below.

4. Enter the Name and Description of the widget.

5. Select a report from the Report list as explained in

Table 10

.

User Guide

Managing Your Dashboard |

43

6. Specify a Timeframe as explained in Table 9 .

Table 10 Summary Widgets Elements

Element

Name

Description

Name of your widget that is displayed on the widget Title bar.

Description Description of your widget.

Shared Select the checkbox if you want to share your widget with others.

However, only the creator can edit this widget settings.

Selected

Enter text to filter

Displays the selected report from the Report list. When the report is not selected, None is displayed.

Enter the text to filter Report list and then press Enter.

Report list By default, the following columns are displayed:

Type--the report template type, for example, User Access

Name--the name of the report

Description--the description of the report

Click on the column heading to sort the table by that column to view in ascending or descending order.

Timeframe section

Run Specify the time frame to refresh the widget’s report results. The options are:

Once every few hours

Once a day

Once a week

Once a month

Note

: Depending on the above selected Run option, the corresponding following fields may change. For example: If you select Once a week option, specify time, and day of the week.

Specify the appropriate intervals.

7. Click the Save Settings button to save the widget’s settings. The widget is now listed in the saved widget list. Click Add to Dashboard button to add the widget to your dashboard.

Or,

Click the Save & Add to Dashboard button to save the settings and add the new widget to your dashboard.

User Guide

44

| Chapter 2 Viewing Dashboards

To edit an existing summary widget’s settings

Only the creator of the widget can edit that widget’s settings.

1. Select a widget from the saved widget list.

2. Make the appropriate changes.

3. Click the Save Settings button to save the new settings.

The

Save & Add to Dashboard

button is available only when the widget is not on your dashboard

.

Managing Trend Widgets

The Trend widget displays a trend of Index Search “hits” occurring over a period of 1 day, 1 week or 1 month.

If you click , the report displays more view options such as Column Chart, Line

Chart, and Drilldown. The Drilldown button takes you to the actual report page where you can run the report with the same log sources. The time frame on the widget is defined separately than the actual report’s time range. Similarly, when a widget is shared and if you don’t have similar privileges as the widget owner, you may not be able to view the same data as displayed in the widget.

For more information on other widget buttons, see

Table 9 on page 41

.

Figure 1 Trend Widget Example

User Guide

Managing Your Dashboard |

45

Trend widgets allow you select a time range and zoom in to the data. When you specify a time range on the widget, the Drilldown option will use the same time range to display the report. If the chart is zoomed in, the zoomed time range will be used if you click the Drilldown option.

Figure 2 Trend Widget Zoomed in time range Example

To add an existing trend widget to your dashboard

If a widget is already added to the dashboard, you cannot add the same widget to the dashboard again.

1. Access Dashboards > My Dashboard > Widgets from the navigation menu.

2. Click the Trend icon. A list of existing trend widgets, if any, is displayed in the second pane.

3. Select the widget from the list. The widget’s settings are displayed for your review in the third pane.

4. Click the Add to Dashboard button to add the widget to your dashboard.

To create a new trend widget

To create a trend widget, you must have the Index Search privileges. For more information about privileges, see Managing Users in the LogLogic Administration

Guide

User Guide

46

| Chapter 2 Viewing Dashboards

1. Access Dashboards > My Dashboard > Widgets from the navigation menu.

2. Click the Trend icon. A list of existing trend widgets, if any, is displayed in the second pane.

3. Click the Create New button to create a new widget. The new widget settings pane appears as shown below.

4. Enter the Name and Description of the widget.

5. Select a saved search from the Search list as explained in Table 11

.

6. Specify the Trend Range as explained in Table 11

.

Table 11 Trend Widgets Elements

Element

Name

Description

Name of your widget displayed on the widget Title bar.

Description Description of your widget.

Shared Select the checkbox if you want to share your widget with others.

However, only the creator of the widget can edit the settings.

Selected

Enter text to filter

Displays your selected search. When the search is not selected,

None is displayed.

Enter the text to filter the saved search settings and then press

Enter

.

Search List By default, all these columns are displayed:

Type–the report template type, for example, User Access

Name–the name of the report

Description–the description of the report

Click on the column heading to sort the table by that column to view in ascending or descending order.

Trend Range section

Tiimespan Specify the timespan from the drop-down menu. The options are:

• 1

Day

• 7 Days

30

Days

7. Click the Save Settings button to save the widget’s settings. The widget is now listed in the saved widget list. Click Add to Dashboard button to add the

User Guide

Managing Your Dashboard |

47

widget to your dashboard.

Or,

Click the Save & Add to Dashboard button to save the settings and add the new widget to your dashboard.

To edit an existing trend widget’s settings

Only the creator of the widget can edit that widget’s settings.

1. Select a widget from the saved widget list.

2. Make the appropriate changes.

3. Click the Save Settings button to save the new settings.

The Save & Add to Dashboard button is available only when the widget is not on your dashboard.

Managing Alert Widgets

The Alert widget displays recent triggered alerts matching your specified filters.

If you click , the report displays more view options such as Enable, and Disable.

For more information on other widget buttons, see

Table 9 on page 41

.

To add an existing alert widget to your dashboard

If a widget is already added to the dashboard, you cannot add the same widget to the dashboard again.

1. Access Dashboards > My Dashboard > Widgets from the navigation menu.

2. Click the Alerts icon. A list of existing alert widgets, if any, is displayed in the second pane.

3. Select the widget from the list. The widget’s settings are displayed for your review in the third pane.

4. Click the Add to Dashboard button to add the widget to your dashboard.

User Guide

48

| Chapter 2 Viewing Dashboards

To create a new alert widget

To create an alert widget, you must have the Manage Alerts privileges. For more information about privileges, see Managing Users in the LogLogic Administration

Guide.

1. Access Dashboards > My Dashboard > Widgets from the navigation menu.

2. Click the Alerts icon. A list of existing alert widgets, if any, is displayed in the second pane.

3. Click the Create New button to create a new widget. The new widget settings pane appears as shown below.

4. Enter the Name and Description of the widget.

5. Specify how to show alerts based on Type & Priority or Custom selection as

explained in Table 12 .

6. Specify number of alerts from the Show most recent list as explained in

Table 12

.

Table 12 Alerts Widgets Elements

Element

Name

Description

Specify the name of your widget displayed on the widget Title bar.

Description Specify the description of your widget.

Shared Select the checkbox if you want to share this widget with others.

However, only the creator can edit this widget settings.

Only show section

Type & Priority

Custom Selection

Selected

Available

Select this option to specify the type of system and priority. Click the checkbox to select the priority level.

Select this option to specify alerts from the existing list.

Once you select the alert rule from the Available list, it appears under this column.

Displays list of available alert rules. Select the alert by clicking the appropriate alert rule name (or names). This allows you define certain triggered alerts on your dashboard.

User Guide

Managing Your Dashboard |

49

Table 12 Alerts Widgets Elements (Cont’d)

Element

Show most recent

Description

Specify how many alerts to be displayed in the widget. The options are:

• 10 A lerts

• 25 Alerts

• 50 Alerts

100

Alerts

7. Click the Save Settings button to save the widget’s settings. The widget is now listed in the saved widget list. Click the Add to Dashboard button to add the widget to your dashboard.

Or,

Click the Save & Add to Dashboard button to save and add the new widget to your dashboard.

To edit an existing alert widget’s settings

Only the creator of the widget can edit that widget’s settings.

1. Select a widget from the saved widget list.

2. Make the appropriate changes.

3. Click the Save Settings button to save the new settings..

The Save & Add to Dashboard button is available only when the widget is not already on your Dashboard.

Managing System Widgets

The System widget displays four pre-defined widgets: Network-based Data

Ingest, File-based Data Ingest, Disk Usage

, and CPU.

For more information on widget buttons, see Table 9 on page 41 .

If you click the Show Toolbar button, the report displays more view options such as Hour range from 2 Hr, 6 Hr, and 12 Hr. For more information on other widget buttons, see Table 8 on page 34.

User Guide

50

| Chapter 2 Viewing Dashboards

To add a system widget to your dashboard

1. Access Dashboards > My Dashboard > Widgets from the navigation menu.

2. Click the System icon. The pre-defined widgets are displayed in the second pane.

3. Select the widget by clicking on the name from the list of pre-defined widgets to view the details in the pop-up window.

4. Click the Add to Dashboard button. The widget is added to your dashboard. .

If a widget is already added to the dashboard, you cannot add the same widget to the Dashboard again.

Defining your Dashboard Canvas Settings

You can specify the number and size of columns on your Dashboard canvas.

To define your dashboard canvas settings

1. Access Dashboards > My Dashboard from the navigation menu.

2. Click the Dashboard link. The Edit dashboard settings window appears as shown below.

3. Specify the number of columns from the column layout options. The options are: One Column, Two Columns, or Three Columns.

4. If you select Two or Three columns option, specify the width of the column by dragging the slider to the desired width.

5. You can preview your column settings in the Preview window.

6. Click Save Settings to save your Dashboard settings. The widgets on your

Dashboard are rearranged as per the new Dashboard settings.

User Guide

Chapter 3

Viewing Real Time Log Messages |

51

Viewing Real Time Log Messages

The Real Time Viewer provides a scrolling display of log messages from all log sources as the Appliance receives them. You can either filter messages or view all log messages unfiltered as they arrive.

Real Time Viewer displays log messages only for syslog log sources, not for file transfer or database log source types (including log messages forwarded using

LogLogic TCP).

Topics

Accessing and Selecting Real Time Messages to View on page 52

Viewing Log Messages in Real Time on page 56

Java Security Settings on page 57

User Guide

52

| Chapter 3 Viewing Real Time Log Messages

Accessing and Selecting Real Time Messages to View

The Real Time Viewer shows an immediate scrolling display of log messages as they are received by the Appliance.

To access the Real Time Viewer:

Choose Search > Real Time Viewer from the navigation menu.

Element

Saved Custom Report

Device Type

Source Device

Table 1 Real-Time Viewer Tab Elements

Description

Select a Custom Report from the drop-down menu.

If you do not have any saved Custom Reports, this field is grayed out. This option is useful to view real-time data with the specified parameters from your saved filter for a specific

Appliance.

Devices associated with the Appliance.

Highest Severity

IP address of the selected Device Type.

The drop-down menu contains the devices connected to the

Appliance.

Specify the selection of a set of syslog messages by their highest severity. Select this checkbox to filter the syslog messages of that severity.

User Guide

Accessing and Selecting Real Time Messages to View |

53

Element

Search Filter

Save Custom Report

Table 1 Real-Time Viewer Tab Elements

Description

Define an expression used to limit information displayed from the devices.

Filter options are:

• Pr e-Defined—The drop-down contains pre-defined search filters that you manage in the Search Filters tab.

Us e Words—The components of messages. The maximum character length of the Use Words field is

125.

For example, userIDs like cjreid, or parts of IP addresses like

192.

• Use Exact Phrase—A component of a syslog message that are not randomly linked but form a fixed string, for example, a specific URL or

Authentication rejected:, keyboard-interactive for root. The maximum character length of the Use

Exact Phrase field is 250.

• Regular Expression—A regular expression is a tool comprised of characters and symbols, that enable the search to identify patterns retrieved the storage database. The maximum character length of the

Regular Expression field is 250.

For example:

User .* connected, \>su:.*(to root), amd sshd.*Accepted.*for root from

Define and save frequently used search criteria for future use to execute a report against your real-time logs more quickly.

Novice users can run reports with complex search criteria with minimal input.

Specify the following information:

Report Name—A name for the report.

Report Description—A brief description for other users to understand the type of information that this report generates.

Share with Other Users

checkbox

The default, Share with Other Users option lets you make this

Custom Report accessible for other users logging in to this

Appliance.

Click to save your changes.

User Guide

54

| Chapter 3 Viewing Real Time Log Messages

Element

Table 1 Real-Time Viewer Tab Elements

Description

Runs the filter and display the real-time log view.

To run the Real Time Report

7. Designate which messages to view in real time. You can pre-filter messages by source device, message severity, and text matches.

8. Click the Run button.

The Real Time Viewer appears, displaying messages meeting the filter criteria as the Appliance receives them.

When you leave the Real Time Viewer and return to it later, the content in the

Viewer restarts upon your return. Messages from the previous Viewer instance are not retained in the new Viewer instance.

To run a previously saved report in the Real-Time Viewer:

1. Choose Search > Real Time Viewer from the navigation menu.

2. Select the report from the Save Custom Report drop-down menu.

3. Click the Run button.

To specify parameters to run a new report in the Real-Time Viewer

4. Choose Search > Real Time Viewer from the navigation menu.

5. Select the device type.

6. Select the source device connected to your Appliance.

7. Choose the severity level. To specify the highest level, check the Highest

Severity

checkbox.

8. Type your search criteria to limit information displayed from the device(s).

9. Click the Run button.

To save a Custom Report in the Real-Time Viewer

After specifying the parameters for your report, save the report:

1. Click to expand the Save Custom Report section.

2. Type a name for your report and provide a brief description.

User Guide

Accessing and Selecting Real Time Messages to View |

55

3. If you do not plan to share the report with other users logging in to the

Appliance, uncheck the Share with Other Users checkbox. By default, this checkbox is selected.

4. Click the Save Report button to save your changes.

User Guide

56

| Chapter 3 Viewing Real Time Log Messages

Viewing Log Messages in Real Time

Based on your selections in the Real-Time Viewer tab, the Real-Time Viewer:

Log Messages

tab shows a scrolling view of log messages in real time as they are received by the Appliance. The messages shown are determined by your input in the Real-Time Viewer tab Search Filter section.

If you need to scroll through the incoming messages, click Pause. However, messages that arrive while the view is paused are skipped by the view; they do not get displayed when you resume.

Table 13 Real-Time Viewer: Log Messages Screen Elements

Element

Selected Device

Description

Displays the Appliance source device name for the selection in the Real-Time Viewer Filter form.

Status Status of the Real-Time Viewer display.

Stops the real-time view of the incoming log messages.

If you pause the view, Real-Time Viewer skips incoming messages until you click Resume. The number of skipped messages is displayed next to Status: Paused.

Starts the real-time view of the incoming log messages.

Deletes the view of the incoming log messages and refreshes the page.

Refreshes the view of the incoming log messages.

The number of lines to store in the buffer for viewing. The default is 10000. To change the buffer size, type the number of lines and click the Buffer Size button.

Returns the user to the Real Time Viewer page, where the existing settings can be viewed and changed. After your changes (or to keep the current settings) click the Run button.

User Guide

Java Security Settings |

57

Java Security Settings

After updating your version of Java, use one of the following procedures to allow the Real Timer Viewer to launched successfully. If these steps are not followed when you run the Real Time Viewer after a Java update its status will remain as

“waiting for connection”.

1. From Start > Control Panel select Java (64-bit).

2. In the Java Control Panel window select the Security tab.

3. Click the Edit Site List button, and enter your LMI IP Address and save.

The LMI will now be added to the exception site list and when you run the

Real Time Viewer the status will be Connection Established.

If Java (64-bit) doesn't exist then, follow the following steps:

1. From Start > Control Panel select Java.

2. In the Java Control Panel window select the Security tab.

3. Set the Security Level to the lowest which will allow all Java programs to run on your computer.

Modifying your Java settings

Used for Real-Time Viewer client connections. Uses Java applet; some versions of

Java will not work. Java 1.8.0.x is recommended.

Note: If you are running java 1.8.0_x, you will need to:

1. As administrator, update your file C:\Program Files

(x86)\Java\jre1.8.0_31\lib\security\java.policy

and grant the following permission to non-abbreviated IPv6 address: grant { permission java.net.SocketPermission

"fd00:0:0:0:0:aaaa:a73:1a3d:4514", "connect,resolve";

};

You can also add permissions to both abbreviated and non-abbreviated addresses: grant { permission java.net.SocketPermission

"fd00:0:0:0:0:aaaa:a73:1a3d:4514", "connect,resolve";

}; grant { permission java.net.SocketPermission

User Guide

58

| Chapter 3 Viewing Real Time Log Messages

"fd00::aaaa:a73:1a3d:4514", "connect,resolve"; };

The IP address should be replaced with the IP address of your appliance.

2. In Control Panel > java > Security add the following to the exception list: https://[fd00::aaaa:a73:1a3d:4514]:443, where

"fd00::aaaa:a73:1a3d” is your appliance IP https://[fd00:0:0:0:0:aaaa:a73:1a3d:4514]:443, where

"fd00:0:0:0:0:aaaa:a73:1a3d:4514” id the non-abbreviated version for your appliance IP

Appliance IP Address can be either IPv4 or IPv6. Both are supported.

User Guide

Chapter 4

Searching Collected Log Messages |

59

Searching Collected Log Messages

As the Appliance collects log data from your log sources, you can search on those collected log messages. In addition to running various simple and complex searches, you can define search filters and run reports.

Pre-defining search filters lets you include specific search criteria in an Index

Search, a Regular Expression Search, the Real Time Viewer, and All Saved

Searches without having to re-enter the filtering criteria each time.

Viewing archived data files lets you reload and open older, compressed log data for viewing on an Appliance.

Topics

Search Overview on page 60

Using Index Search on page 62

Tag-Based Searches Using the Tag Picker Interface on page 78

Using Regular Expression Search on page 79

Using Search Filters on page 86

Viewing All Saved Index Searches on page 95

Using and Creating All Index Reports on page 96

For details on Boolean expressions, Regular Expression usage, what gets indexed, and available delimiters, see the Search Strings topic in the Online Help.

User Guide

60

| Chapter 4 Searching Collected Log Messages

Search Overview

LogLogic provides search and reporting tools for finding specific information in collected log message content. The tool you use varies depending on the task you want to perform.

• Index Search

Search on indexed log source messages using a Boolean expression and see the results immediately. Use Index Search when a simple, fast search can provide the information you need to analyze failures or other anomalies.

• Regular Expression (RegEx) Search

Search using a single regular expression or pre-defined search filter, either immediately or at a scheduled time.

• Real Time Viewer

The Real-Time Viewer shows an immediate scrolling display of real-time log messages as they are received by the Appliance. The options form allows for pre-filtering of these messages by log source or device group, message severity, and text matches. Only log messages meeting the filter settings are shown. See

Viewing Log Messages in Real Time on page 56

.

• Index Report

Generate a report based on indexed data using pre-defined

Boolean search filters. Essentially, an Index Report is a compilation of multiple

Index Searches run at once. You can specify one or more pre-defined filters to use, and add additional criteria to those filters.

Table 14 Search and Reporting Feature Comparison

Feature

Index

Report

Multiple filters in search

Boolean Expressions

Regular Expressions

Graphical Results Available

Graphically view trends over time or log sources

Schedulable Search

Save customized search criteria for future use

Yes

Yes

No

Yes

No

No

Yes

Index

Search

No

Yes

No

Yes

Yes

No

No

Yes

No

No

RegEx

Search

Yes

No

No

Real

Time

Viewer

Yes

No

No

Yes

Yes

Yes

No

Yes

User Guide

Search Overview |

61

Table 14 Search and Reporting Feature Comparison

Feature

View finished/past search results

Index

Report

No

Index

Search

No

RegEx

Search

Yes

Real

Time

Viewer

Yes

For a simple search to match a specific string, use Index Search. To search for strings that match more complex patterns, use RegEx Search.

User Guide

62

| Chapter 4 Searching Collected Log Messages

Using Index Search

Use Index Search to perform targeted searches on log messages using keywords,

Boolean expressions, and wildcards on the Appliance or log sources. Index Search lets you pinpoint problem areas on all log sources captured on the Appliance and then view the search results quickly.

Due to the dynamic nature of LogLogic reporting, when paging between the last page of search results and other pages, additional messages matching the search criteria might have been received since the initiation of the original search. As such, you might see additional messages included on subsequent visits to the last search results page.

Index Search works on indexed logs making it faster than a search using regular expressions (RegEx search). By default, the Appliance performs an Index Search on the Appliance itself and all log sources collected on the Appliance in the last hour.

Search Expression Rules

The following rules apply when you enter a search expression:

• Use Boolean operators, such as AND, OR, or NOT for your search expression

(but do not begin the expression with leading NOT)

• Use wildcard characters, such as an asterisk (*) or question mark (?) to match strings (but do not begin the expression with the wildcard)

• Do not use < or > as these are not valid characters

• Use delimiters such as parentheses to tell Index Search what to evaluate first

• Enter up to 256 characters for your search expression

• When using Index Search and Tag Based search, the system does not support the use of search patterns shorter than 3 characters

Index Searches are case insensitive, so you do not have to use all uppercase letters when using Boolean operators, although it helps readability. Some simple Index

Search examples include:

Table 15 Index Search Examples

Index Search Example

tcp

Rule

Use search expressions containing at least three characters.

User Guide

Using Index Search |

63

Table 15 Index Search Examples (Cont’d)

Index Search Example

authenticate AND failed

Tcp NOT Udp admin*

10.*

Rule

Use Boolean operators, such as AND, OR, or NOT.

(tcp and udp) and service

Use wildcard characters such as an asterisk (*) or a question mark (?) as shortcuts to match strings.

Note

: Wildcard character Index Search on IPv6 addresses will only work if the asterisk or question mark is at the end of the address. As shown below it will not work if the wildcards are used anywhere else in the address:

2001:db8::ff00:42:83??

2001:db8::ff00:*:8329

2001:db8::ff0?:42:8329

2001:db8::ff0*:42:8329

2001:db8::????:42:8329

Use a delimiter such as parentheses to specify what gets evaluated first. In this example, tcp and udp will be evaluated before the service keyword.

For details on Boolean expressions, search strings, and available delimiters, see the Search Strings topic in the Online Help.

Running an Index Search

Index Search is available on all Appliances. By default, the Appliance performs an

Index Search on the Appliance itself and all log sources from which logs were collected on the Appliance in the last hour. You can search using these defaults or change them.

To run an Index Search from the Index Search Interface

1. Access the Index Search page from home: Search > Index Search.

2. Enter your search expression in the search text box and click the Run button.

Do not use < or > in your search expression as these are not valid characters.

If you want, you can adjust the search scope and rerun the search by selecting specific log sources and/or a different timeframe.

User Guide

64

| Chapter 4 Searching Collected Log Messages

Selecting Specific Log Sources

To perform a more targeted search, you can narrow the search scope to a group of log sources, such as all firewall interfaces, all routers, all General Syslog,

Microsoft sources, other UNIX, or LogLogic Appliances.

The default rule is set as All Sources except LogLogic. This includes all logs except LogLogic Appliance logs. You can add any individual and/or group of non-LogLogic sources to this rule. However, if you specify any other log source, other than LogLogic source, the default rule will be removed from the filter list

(from the left pane) and the new log source is added. This enhancement applies to only system-defined groups and not the user-defined groups. For example, if you select a user-defined group that only includes LogLogic source, then the default rule will be removed.

On the Management Station, you can select from one managed Appliance or all

Appliances, or particular groups of Appliances (for example, all LX Appliances or all ST Appliances) on which to run the search. The Choose Device pop-up automatically populates the log sources included on all defined groups.

When Appliance selection is

All

,

All LX/MX

, or

All ST

, only system defined groups (e.g. All Cisco PIX) and user defined global groups that reside on the management station will be displayed.

To run a targeted Index Search

1. Click the All Sources except LogLogic button to open the Select Source(s) window.

2. Select log sources from the Add Log Sources pane. You can select sources by

Appliance, and filter by Name, Collector Domain, IP Address, Group or Type.

a. If you picked “Name”, enter a Source Name, a specific Device Name or a

Name Mask. Wild cards are accepted in this field.

b. If you picked "Collector Domain", enter the name of the Collector Domain.

This is the name used to identify each message sent from a specific device.

c. If you picked “IP Address”, enter a Source IP Address, a specific IP

Address or an IP Address Mask. Wild cards are accepted in this field.

d. If you picked “Group”, enter a Group Name, or click the down arrow to the right of the text field and select “All” or one of the other Group names displayed in the drop-down box.

e. If you picked “Type”, enter a Source Type (a specific device type), or click the down arrow to the right of the text field and select “All” or one of the other Device Types displayed in the drop-down box

User Guide

Using Index Search |

65

When adding a large number of devices, create a dynamic rule which contains all listed devices. To create a rule, first filter by Name or Type to retrieve the list of devices. Then, click the << Add filters as a rule button that will create a dynamic rule which contains all listed devices on the right pane.

3. Click << Add filters as a rule.

4. Enter a name for the dynamic rule in the pop-up window and click OK.

5. Click on the sources you want in your report and then click << Add selected

log sources

to add the selected devices and filters to the left-hand pane.

6. Click Set. The new Index Report search selection appears in the Sources row.

The Index Search Sources field displays the newly added log sources.

Select Time Frame for an Index Search

To select time frame for an Index Search

1. Click the calendar icon (to the right of Last Hour) to launch the Date and Time

Range Picker

.

2. Select a preset time interval by clicking the down arrow to the right of Last

Hour, or pick a timeframe from the pop-up calendar. Click Set.

3. Click Run.

4. At the Search pop-up, select whether you want to retrieve all messages. Click

Yes

. After a few moments, the Index Search results will be displayed.

Using the Search Results Tab

Viewing Index Search Results

Index Search results are displayed in the Search Results tab and the keywords you entered are highlighted in different colors.

For example, when entering login AND user as your Boolean expression, the

Search Results

tab shows the first keyword “login” in yellow and second keyword “user” in turquoise.

User Guide

66

| Chapter 4 Searching Collected Log Messages

Figure 3 Viewing Index Search Results

User Guide

The UI uses several different colors to highlight search keywords after which it repeats the same color scheme.

In the results tab the Collector Domain will be displayed in one of two ways:

• For Collector Domains specified in a UC the following format; <collector domainid>_<device IP>_<devicetype> will be displayed in the Name field.

For example a windows machine with an IP address of 10.10.10.10 and collector domain will be displayed as 1_10.10.10.10._windows.

• For Collector Domains specified in LMI (Managment>Devices>AddNew) the

Collector Domain name will be displayed in the Collector Domain field.

To view search results using different view options

1. From the top right of the Index Search screen, click the View drop-down menu to open different view options. The options are: Reset to Default, Show

Timeline, Hide Meta Header, View by, Chart Type.

2. The Search Results view options are:

Table 16 Index Report Search--View options

Element

Reset to Default

Description

Resets to default settings.

Show Timeline Select this checkbox to show timeline graph.

Using Index Search |

67

Table 16 Index Report Search--View options

Element

Hide Meta

Header

Description

Select this checkbox to hide the metadata header information.

View By Select the option to view by Time or Device type.

Chart Type Select the type. The options are Bar chart or Line chart.

Configuring Search Results Settings

To configure Search Results settings

1. From the top right of the Index Search page, click the Options button. The

Columns and Grouping window appears as shown below.

2. Optionally, enter a filter keyword in the Keyword field to narrow the displayed columns in your report.

3. Select the appropriate Column Name by clicking in the checkbox to include or exclude that column from your report. You can change the column name by clicking on the name. The column name field becomes an editable field allowing you to make the changes.

If you enter the same column name for two columns, the Index Search Results page displays the results for those two columns merged into one column.

4. Click or to move the selected column.

5. Choose the Display options.

Table 17 Display Options

Element

Raw

Description

Select this option to display Index Search Results in time-increasing order.

Grouped Select this option to display Index Search Results grouped by the selected column.

User Guide

68

| Chapter 4 Searching Collected Log Messages

Table 17 Display Options

Element

Group By

Description

Choose the appropriate column to display group search results from the drop-down menu. The default options are:

• Ti me

• Device IP

• Device Source

• Facility

Seve rity

You can add more columns by creating custom tags using Log

Labels. See Device Types online help video tutorial for instructions.

Time Interval This option is enabled when you select to Group By Time. The results are grouped based on the specified time interval. Select the

Time Interval from the following options:

• Ev ery 5 Minutes

• Every 30 Minutes

• Every Hour

• Every 3 Hours

• Every 6 Hours

• Every 12 Hours

• Every Day

Ever y Week

Sum By This optional setting allows you to add the numerical value of the selected column so that Search Results Summary displays the sum value of the grouped column instead of the count of message instances.

Aggregation Size Select the option from the drop-down menu. The results will be sorted based on the selected option. The options are:

• Top 1

• Top 5

• Top 50

• All

6. Click Apply to apply the new settings. The Index Search Results page displays the refined search results.

User Guide

Using Index Search |

69

Managing Search Results

The Search Results tab provides a toolbar with several options for managing

Search results.

Table 18 Search Results Tab Toolbar Elements

Element Description

Collapses and condenses the results display view.

Clip Selected message(s)

Number of

Indexed Pages

Allows you to view selected message in relation to all others in

your Index Search results. For details, see Viewing Index Search

Results In Context on page 70

Create a new log message pattern with the selected message.

Highlight a message in the Search Results and click the Create

Message Pattern

button. The Message Pattern Editor is displayed, which can be used to select a particular message from a particular device and then create a pattern based on the parameters of that message for use in further searches. For detailed instructions, see online help tutorial or Creating Message

Signatures chapter in the LogLogic Administration Guide.

From the drop-down menu use the default clipboard, a saved clipboard, or create a new clipboard to save results.

Saves the results. You can choose to Save or Save as from the drop-down menu to save your results. You can update your saved results using the Save as option, see

Saving Search Results on page 70

.

Get the total number of indexed messages on the indexed search results. This is particularly useful for large volumes of log messages as it lets you go through matched messages one page at a time. To page through the results, click the next arrow; to return to the previous page click the previous page arrow. You can also return to the first page or go to the last page by clicking on the first and last page arrows accordingly. The total results number is automatically updated when you select the Show Timeline graphical view.

Displays context-sensitive help.

User Guide

70

| Chapter 4 Searching Collected Log Messages

Viewing Index Search Results In Context

When analyzing log events, you can select a particular message and see the log messages that immediately preceded or followed the message from your search results.

The In Context tab appears only after the first time you click the results toolbar.

icon in the search

To view a particular log message in context

1. On the Search Results tab, select the message that you want to view and then select the icon.

The In Context tab appears (next to the Clipboard tab) and the message you selected is immediately displayed in the Search Results tab.

2. By scrolling down on the page, the affected log message is highlighted in blue to show its relationship to the log messages that preceded this condition as well as those that occurred after this message.

3. Click the appropriate button to save the report. You can choose to save

results in CSV, PDF, or HTML

format.

Saving Search Results

You can download Index Search results to view immediately or save them in CSV,

PDF, or HTML

formats. These buttons are located on the left side of the Save button. After few moments, the report in your chosen format will appear.

Table 19 Save Search Results

Output

CSV

Description

Use Microsoft Excel or other spreadsheet program to display

Index Search results in a spreadsheet. By default, search results are written to SearchExpressionHits.csv and saved on the desktop.

PDF Use Adobe Acrobat Reader to display the Index Search results. By default, search results are written to report.pdf and saved on the desktop. The first page incudes a table of contents with links to the query used for the Index Search and the results table.

User Guide

Using Index Search |

71

Table 19 Save Search Results

Output

HTML

Description

Opens a new tab in your Web browser and immediately displays HTML Index Search results as a LogLogic report. The

HTML results include a table of contents with links to the query used for the Index Search and the results table. By default, the downloaded results are saved as

LogLogicReport.zip in a temp folder on the local drive. You can use your own company logo on the report, see the General tab under System Settings.

To save search results report

1. Click Save As option from the icon drop-down menu to save the report.

You can update the saved report by using the Save option. The Save As

Report

window appears.

2. Enter the name and description of the report in the Name and Description fields respectively. The Name field is a mandatory field.

Do not to use any special characters in the Description field when saving the

Index report.

3. Select the Suite option from the drop-down menu.

4. Select the Share? checkbox if you want to share the report.

5. Select the desired print option. For Grouped Search, the options are: Print

Summary Report

or Print Detailed Report.

6. Click Save to save the results.

Viewing Trends

After running Index Searches, you can use the View menu to view search results graphically using the timeline option. The trend output you see is based on your chosen time range and chosen devices referenced by the Index Search and always includes only the messages and devices for that distribution.

The trend feature can be a powerful tool during your analysis of certain events and lets you see trends for certain activities by Time and Device.

Each option lets you view timeline data in either bar chart or line chart format.

These charts show:

• the time or device on the x-axis

User Guide

72

| Chapter 4 Searching Collected Log Messages

• the total number of messages on the y-axis

The procedure for viewing trends over time and by device is the same.

To view trends over time

1. Click the View drop-down menu and then select the Show Timeline checkbox.

A timeline chart displays below the search text box. You can immediately see the distribution of messages over time and begin to get a sense of trends in the timeline chart.

By hovering the mouse over an affected bar, you can get the total number of messages matching your search expression at that particular point in time.

Figure 4 View Menu – Viewing Trends by the Timeline Bar Chart

For example, in the figure below you can see that 39 log message instances at

11:30 in the morning. The scale on the x-axis shows the total number of messages while the y-axis shows the time distribution of those instances.

Figure 5 Zooming In to the Timeline Bar Chart

User Guide

2. To zoom in on a particular area of interest, press and hold the left mouse button and drag over the area of interest.

This refreshes the timeline view to show the zoom area in more detail.

Using Index Search |

73

Figure 6 Timeline Detail

3. To return to the original view, click Zoom Out.

4. To view the same search in line format, select Chart Type > Line Chart from the View menu.

This displays the results in a line chart format. From this view, you can see spikes in the number of messages that match the keyword “login”.

Figure 7 Viewing Trends by the Timeline Line Chart

Similarly, to view the same Index Search by log source, select View By > Device from the View menu.

Using the Search History Tab

Each time you run an Index Search, your search criteria are automatically saved on the Search History tab. The Search History tab includes:

• Only those Index Searches with valid search criteria.

• User-specific Index Searches, which can be shared when saved as a search filter.

• Most recent searches on the top of the list

User Guide

74

| Chapter 4 Searching Collected Log Messages

You can configure the search entries displayed (rows/page) on the Search

History

tab through the admin > Your LogApp Account tab (see Viewing Your

LogApp Account on page 230 ).

Saving an Index Search as a Filter

While search histories are user-specific, you can save an Index Search as a search filter. You can use these saved search filters yourself or you can share these saved search filters with other users of the Appliance.

To save an Index Search as a search filter

1. Click Search History to see the history of Index Searches.

2. Select the saved Index Search message and then click the

The Save As Filter dialog box is displayed.

3. Enter a name, description and expression for the filter.

button.

Do not use < or > in your search expression as these are not valid characters.

4. The filter name and description helps you and other users to quickly understand the type of information that generates when running this Index

Search.

5. If you want to share this filter with other users, click the Shared with other

users

checkbox.

6. Click Add.

The Index Search is saved as a filter. You can use the filter in two places:

Search > Index Search > Search Filters tab

Search > All Search Filters tab

Running a Previously Saved Search Expression

Since your Index Searches are automatically saved for you on the Search History tab, you can browse through these previously saved sets of search criteria and run them again.

To run a previously saved Index Search

From the Search History tab, select the saved Index Search that you want to run and then click .

User Guide

Using Index Search |

75

Using the Search Filters Tab

The Search Filters tab lists all saved search filters created on the Search History tab. The Search Filters tab includes the button in the toolbar making it convenient to run a previously saved search filter.

The Search Filters tab organizes search filters by their name and displays the search expression used for the search filter in the Expression column.

All of your saved search filters show up on the Search Filters tab and on the

Index Report

tab.

To view or use a previously saved Index Search filter

1. Select the filter from the table and then click .

This copies the search expression and enters it in the search expression text box.

2. Press Enter to run the search filter.

This loads all the results of the search on the Search Results tab.

Using the Clipboard Tab

The Index Search Clipboard is an important tool for investigating and troubleshooting log events. For example, during your analysis of a certain event, you might find an item of interest in one or more log messages. Once identified, you can create a Clipboard and copy and paste the affected log message(s) onto the Clipboard.

You can create several clipboards until you have found everything you need to help you with your analysis as you drill down on the details. After saving clipped messages to the clipboard, you can view them on Clipboard tab and on the

Search Results

tab.

The Clipboard tab provides a toolbar with several options for using clipped messages. These options include:

- Adds a new clipboard

- Deletes one or more clipped messages

- Allows you view or edit the clipped message

Adding a New Clipboard

You can add a clipboard from:

User Guide

76

| Chapter 4 Searching Collected Log Messages

• the Search Results page

• the Clipboard tab

You can add up to 1,000 messages to a Clipboard. Each user is able to create up to

100 Clipboards.

The procedures are essentially the same for adding a new Clipboard. The next procedure shows how to add a Clipboard from the Search Results tab.

To add a new Clipboard from the Search Results tab

1. On the Search Results tab, select messages to add to the clipboard from the search results.

2. To select more than one message to add to the Clipboard, hold the Shift key as you click on each message.

3. From the Clip selected message(s) drop-down menu, select New Clipboard.

4. The Add Clipboard dialog box opens.

5. Enter a name for clipboard in the Name field.

6. If you enter an existing clipboard name, the messages are added to that existing clipboard.

7. Add a description for the clipped message in the Annotate field and click

Add

.

The clipboard is added to the Clipboard tab and it is also available from the

Search Results

tab. You can go back and view or edit the clipped message(s) later on to allow for more analysis.

Viewing or Editing Clipped Messages

After saving clipped messages and annotating them, you can view or edit clipboards on the Clipboard tab.

To view or edit clipped messages

1. On the Clipboard tab, select the clipboard that you want to view or edit and click .

User Guide

Using Index Search |

77

The Edit Clipboard dialog box appears. You can change the following:

— the Name of the clipped message

— the Annotation for the clipped message

— remove one or more clipped log messages

2. Modify the Name, Annotation, or remove log messages and click Update.

Deleting Clipped Messages

You can manage the clipboard table by deleting unwanted clipped messages.

To delete a clipped message

1. On the Clipboard tab, select the Clipboard you want to delete and click the

Delete

button.

2. To delete more than one clipped message, hold down the shift key and select the messages you want to delete and then click the Delete button.

The selected messages are deleted from the Clipboard tab.

User Guide

78

| Chapter 4 Searching Collected Log Messages

Tag-Based Searches Using the Tag Picker Interface

You may use the new Tag Picker Interface to access saved search terms in order to quickly run an updated Index Report.

To update an Index Report using the Tag Picker Interface

1. Access the Index Search page by going to home: Search > Index Search. Click the arrow below the text box labeled “

Enter your search expression...

“.

The Tag Picker Interface opens.

2. Select an Event Type and left-click. The selected Event Type appears in the

Enter your search expression...

text box.

3. Add a Boolean operator (AND) to the search expression, and left-click a saved

Field Tag. The selected Field Tag appears after the Boolean operator in the

Search Expression text box.

4. Add a wild card (*) to recall all saved Field Tags with that name. Click Run.

You can specify special characters such as spaces, forward-slashes (/) etc. inside the quotes for Field Tags. For example: Identity: “John Smith”; Domain: “domain name / JOHN SMITH”.

5. Select View and display the Bar Chart for the search expression.

6. Compare with the previous saved Index Search results for this expression.

User Guide

Using Regular Expression Search |

79

Using Regular Expression Search

Use the RegEx Search Filter tab to find specific types of data based on search expressions and time intervals you define. RegEx Search provides more powerful search filter options than Index Search, though RegEx Search can take longer to process and is less interactive.

To specify parameters for a new search

1. Select Search > Regular Expression Search from the navigation menu.

2. (Management Station only) Select the Appliance (or All Appliances) on which to run the search.

3. Select the Device Type.

4. Select the Source Device, or all devices, connected to the Appliance.

To view Global groups created on this Management Station, you must select

All Appliances under Appliance.

Devices with Collector Domain will be displayed in one of two ways:

— For Collector Domains specified in a UC the following format; <collector domainid>_<device IP>_<devicetype> will be displayed in the Name field. For example a windows machine with an IP address of 10.10.10.10 and collector domain will be displayed as 1_10.10.10.10_windows.

— For Collector Domains specified in LMI (Managment>Devices>AddNew) the Collector Domain name will be displayed in the Collector Domain field.

5. Specify the Time Interval which to search for data passing through your

Appliance.

6. Define your Search Filter. Select one of the following options and specify the respective parameters.

— Retrieve All—Use to retrieve all log files collected during a specified time interval regardless of the defined search expression parameters.

— Pre-Defined—Select a pre-defined search expression (defined in/by search filters). All search filters you create appear in the drop-down menu as a pre-defined search expression. If the selected filter includes multiple

User Guide

80

| Chapter 4 Searching Collected Log Messages parameter fields, a text field for each parameter appears. The maximum length for each field is 25 characters.

— Use Words—Use a specific word(s) as a search parameter.

— Use Exact Phrase—Use an exact phrase as a search parameter.

— Regular Expression—Use a regular expression as a search parameter.

For more information about modifying or creating search expressions, see

Using Search Filters on page 86 .

7. Specify the Time Interval to search for data passing through your Appliance.

8. Set a time for the search; do one of the following:

— Select the Schedule Search to Run Immediately checkbox to start your search of archived data immediately.

— Define a time to start the search of archived data. If the selected time is in the past, the search runs immediately. This search is useful if you know exactly which data source you want to search and do not need to search a time interval.

9. Enter a Search Name for the search.

10. Select the Notify me when this search completes checkbox to receive a notification that the search has completed.

11. To generate the report, click the Run button.

Concurrent Regular Expression Searches, apply only for Appliance models above the 1000 series. You can select the number of concurrent searches to perform. The default is one, but you can choose to perform two searches concurrently.

To generate a previously saved report

1. Select Search > Regular Expression Search from the navigation menu.

2. In the RegEx Search Filter tab, select the report from the Saved Custom

Report

drop-down menu.

— To generate the report, click the Run button.

— To export the report data to a file in CSV format, click the Save as CSV button.

To save a Custom Report

After specifying the parameters for your report, save the report:

1. Click to expand the Save Custom Report section.

User Guide

Using Regular Expression Search |

81

2. Type a name for your report and provide a brief description.

3. If you do not plan to share the report with other users logging in to the

Appliance, uncheck the Share with Other Users checkbox. By default, this checkbox is selected.

4. If packages are present on the Appliance, the Add Report to Package drop-down menu is visible letting you select a package in which to include this report.

5. Click the Save Report button to save your changes.

Using Distributed Regular Expression Search

Use Distributed RegEx Search to select individual Remote Appliances or all configured Appliances to run a RegEx search and retrieve the merged results from the Remote Appliances and the Management Station.

Prerequisites:

• Add remote Appliances — Refer to the “Creating a Management Station

Cluster” section in the LogLogic Administration Guide.

• The Admin must provide access to each of the remote Appliances for users to have access to the data on the remote Appliances. Access to Appliances is provided to users via the Appliances tab of the User Edit page. For more information about user privileges, refer to the “Managing Users” chapter in the LogLogic Administration Guide.

The Management Station and all Remote Appliances must have LMI v5.4.2 or newer installed.

To run a Distributed RegEx Search.

1. Select Search > Regular Expression Search from the navigation menu.

2. For a Distributed RegEx Search you must select All Appliances.

The Distributed RegEx Search does not support Custom Reports on the

Management Station.

3. Select the Device Type.

— If “All” is selected, the Source Device menu will allow you to select all devices or select a single device from the Management Station.

— Select from a list of device types configured on the Management Station

User Guide

82

| Chapter 4 Searching Collected Log Messages

4. Select the Source Device.

— If “All” is selected then logs from both the Management Station and

Remote Appliances will be returned.

Search results are based on the device name and will mostly be returned from the Management Station. However, if the Management Station and

Remote Appliances happen to have the same device name then the logs from both the Management Station and the Remote Appliance will be returned.

5. Define your Search Filter. Select one of the following options and specify the respective parameters.

— Retrieve All — Use to retrieve all log files collected during a specified time interval regardless of the defined search expression parameters.

— Pre-Defined — Select a pre-defined search expression (defined in/by search filters). All search filters you create appear in the drop-down menu as a pre-defined search expression. If the selected filter includes multiple parameter fields, a text field for each parameter appears. The maximum length for each field is 25 characters.

— Use Words — Use a specific word(s) as a search parameter.

— Use Exact Phrase — Use an exact phrase as a search parameter.

— Regular Expression — Use a regular expression as a search parameter.

For more information about modifying or creating search expressions, see

Using Index Search on page 62

.

6. Specify the Time Interval to search for data passing through your Appliance.

7. Select the Notify me when this search completes checkbox to receive a notification that the search has completed.

8. Set a time for the search; do one of the following:

— Select the Schedule Search to Run Immediately checkbox to start your search of archived data immediately.

— Define a time to start the search of archived data. If the selected time is in the past, the search runs immediately. This search is useful if you know exactly which data source you want to search and do not need to search a time interval.

9. Enter a Search Name for the search. If a name is not entered in this field the results will be displayed as distributed search <date><timestamp>.

User Guide

Using Regular Expression Search |

83

10. To generate the report, click the Run button.

Only the Management Station Appliance can see the merged results from both the

Management Station and Remote Appliances. A Remote Appliance can only see its own local results.

Viewing Distributed RegEx Search Results

To view a list of all the searches that are currently running, see the Currently

Running Searches

table in the Pending Searches tab.

For each running search, this table lists the search schedule, timespan, name, owner, Regular Expression, and the approximate number of files processed, the total number to search, and the percentage completed.

For Distributed RegEx Searches two results will be displayed on the Management

Station search page. This is because two searches were run on the Management

Station; one for the Management Station and one for the combined results from the Management Station and the selected Remote Appliances. The Remote

Appliances will only see their local results.

Figure 8 Finished Distributed RegEx Searches

Viewing Pending and Running Searches

The Pending Searches tab regularly refreshes to list all the pending and currently running RegEx and Distributed RegEx searches on the Appliance. To force a refresh, click the tab name.

Viewing Running Searches

To view a list of all the searches that are currently running, see the Currently

Running Searches

table in the Pending Searches tab.

User Guide

84

| Chapter 4 Searching Collected Log Messages

For each running search, this table lists the search schedule, timespan, name, owner, Regular Expression, and the approximate number of files processed, the total number to search, and the percentage completed.

To suspend a running search, check its checkbox and click the Stop button.

A suspended search stops processing; its partial results until that point appear in the

Finished Searches

tab.

Figure 9 Running and Pending RegEx Searches

Viewing Pending Searches

To view a list of all the searches that are scheduled to run, see the Currently

Pending Searches

table in the Pending Searches tab.

For each pending search, this table lists the priority for the search, its schedule, timespan, name, owner, Regular Expression, and an estimate of the number of files to search.

User Guide

Using Regular Expression Search |

85

To remove a pending search from the queue, check its checkbox and click the

Remove

button

. The re is no confirmation prompt for removing a pending search

.

To add a new RegEx search to the queue, click the Add New button

. The RegEx

Search

tab appears

.

Viewing RegEx Search Results

You can view pending, running, or finished searches in the Finished Searches or

Pending Searches

tabs under Search > Regular Expression Search. To force a refresh of the tab and view the latest finished searches, click the tab name.

Viewing Finished Searches

To view the search results for any searches that have completed, click the number of matches for the report in the Finished Searches tab list.

Figure 10 Finished RegEx Searches

To view the search results for a particular search, click its number of Matches.

To view or download the search results in HTML, PDF, or CSV, click the format extension in the Download Size column. (Clicking the size number downloads the results as a CSV file.)

To delete a past search from the Appliance, select its checkbox and click the

Remove

button

.

User Guide

86

| Chapter 4 Searching Collected Log Messages

Using Search Filters

Search filters are user-created filters (saved search patterns) that can be used in:

• Alerts

• Real-Time Viewer

• Index Search

• RegEx Search

• Index Reports

You can also filter your results using the Find field. Enter the keywords in the

Find

field to view the filtered results based on your search keywords. You can filter results based on all columns.

The Find field does not support the use of Japanese.

The All Search Filters page lists all search filters:

• You created in the Add Search Filter page

You created and saved from the Index Search History tab (see Saving an

Index Search as a Filter on page 74

)

• Available to you, including shareable filters created or owned by other users

Avoid using a regular expression when a non-regular expression alternative is available. Regular expressions are almost always less effective and more error prone than non-regular expressions. For instance, instead of using the regular expression ”r;^[^:]://.\.loglogic\.com/.*$” you should write

”r;url.domain=loglogic.com”r;. You can also use a wild card symbol for searches.

Using a wild card for regular expression searches means that it will match the preceding element zero or more times.

Adding a Search Filter

To add a search filter for complex pattern matching, use the Add Search Filter page.

User Guide

Using Search Filters |

87

To add a search filter

1. Select Search > All Search Filters from the navigation menu.

2. Click the Add New button

.

3. Type a name for your new search filter.

4. Sharing - Read Only is the default setting for a new search filter; other users of this Appliance may see and use the new search filter. Set the radio button to

No

to prevent others from seeing and using the new search filter. Set the radio button to Read Write to allow others to see and modify the new search filter.

5. Type a brief description of the new search filter.

This description helps you remember what the filter is for, and describes it to other users if you shared the filter.

6. Select a search filter option and enter the search filter criteria (see

Search Filter

Options on page 87 .

For this example we will select the following option and a single filter criterion: a. Select the radio button Use Exact Phrase. b. Enter $username in the Use Exact Phrase text field.

7. Click the Add button

.

When adding the very first Search Filter to the Appliance, you may see the message “There is no Search Filter defined in the system” immediately after clicking Add. Refresh the

Appliance memory by clicking Regular Expression Search in the navigation menu; then click Search Filters in the menu, and your new Search Filter will appear in the list.

Search Filter Options

There are four types of search expressions you can use when adding a search filter.

Table 20 Search Filter Comparison

Filter Type

Use Words

Search Criteria

A word, or two words with

AND/OR

Use

Pre-Defined

RegEx

Filters

Yes

Where Filter Is Used

RegEx Search, Alerts, Real-Time

Viewer

User Guide

88

| Chapter 4 Searching Collected Log Messages

Table 20 Search Filter Comparison

Filter Type

Use Exact

Phrase

Regular

Expression

Boolean

Expression

Search Criteria

A phrase

Regular expression

Keyword search using Boolean expressions

Use

Pre-Defined

RegEx

Filters

Yes

Where Filter Is Used

Yes

No

RegEx Search, Alerts, Real-Time

Viewer

RegEx Search, Alerts, Real-Time

Viewer

Index Search and Index Report

Custom reports allow whichever filter types apply to the custom report’s contents. For example, a custom report saved from an Index Search allows

Boolean search filters. When creating a search filter to be used for Index

Search/index report, make sure to choose the Boolean expression as filter type.

Use Words

Type a word as your search criteria. If you type more than one word, you can use the AND/OR drop-down menu.

To specify any string of characters, use wildcards (*). For example, RADI*UDP would match the RADIUS opened UDP handle string.

Use Exact Phrase

Type a phrase as your search criteria. The Appliance searches for strings including the phrase you specify.

To specify any string of characters, use wildcards (*). For example, RADI*UDP would match the RADIUS opened UDP handle string.

You can also define a parameter field using $fieldname. For example, $username

$zipcode $phone

displays text entry fields when you select the search filter in the RegEx Search tab. Field names with spaces in them display only the first word

in the RegEx Search tab. For more information, see Adding Additional

Parameters to a Pre-Defined Regular Expression Search Filter on page 91 .

User Guide

Using Search Filters |

89

Regular Expression

Type a regular expression as your search criteria; that is, a single character, a string of characters, or a string of numbers. A regular expression (RegEx) is a pattern that is matched against a subject string from left to right. Most characters stand for themselves in a pattern and match the corresponding characters in the subject.

The power of regular expressions comes from the ability to include alternatives and repetitions in the pattern. These are encoded in the pattern by use of metacharacters which, instead of standing for themselves, are interpreted in a special way.

Avoid using a regular expression when a non-regular expression alternative is available. Regular expressions are almost always less effective and more error prone than non-regular expressions. For instance, instead of using the regular expression ^[^:]*://.*\.loglogic\.com/.*$” you should write url.domain=loglogic.com.

You can use a wildcard symbol (*) for searches. Using a wildcard for RegEx searches means the * matches the preceding element zero or more times.

Once you add a regular expression, the values you enter are stored as parameters in the database. To use this regular expression with alerts, Real-Time Viewer, or

RegEx Search, select the Pre-Defined radio button.

If you are creating a search filter for an alert, the search filter must be a RegEx expression.

Boolean Expression

Type a keyword search that uses Boolean operators such as AND, OR, or NOT.

For example:

“Portmapped translation built for gaddr” and NOT 155.363.777.53

This searches indexed data only. Indexing increases performance when searching unparsed data. It is most effective when used to find a rare occurrence of a string.

In addition to entering a keyword, you can also type:

• Numbers and words which are three or more characters

• Terms under three characters, preceded by =. For example, for terms such as user=a or priority=7 the a and 7 are indexed.

The Boolean Expression field is visible only if you enable Full Text Indexing from the General Settings tab. You cannot use Advanced Options with Boolean Search.

Your Boolean expression should be no longer than 1024 characters in length.

User Guide

90

| Chapter 4 Searching Collected Log Messages

For more on using Boolean search strings, see the Search Strings topic in the

Online Help.

Putting Your Logins Search Filter to Work

Complete the following steps to start using your Logins search filter:

1. Select Regular Expression Search from the navigation menu.

2. On the RegEx Search Filter tab that appears, select the Pre-Defined radio button.

3. In the Pre-Defined text field (Select Expression), click the drop-down menu arrow, select Logins search, and click on the filter name. The filter form reloads and now displays “Logins search” in the Pre-Defined text field.

Note that because you specified the parameter $username in the Use Exact

Phrase

text field when you defined your Logins search filter, the Appliance has opened a new text box next to username in which you may further define the type of user to search for.

4. Enter “admin” in the username

text field to search for that class of user alone, or enter the wildcard * to search for logins from all users.

5. Select a Start Time to run your Logins search (immediately in this example).

6. Enter a name for your search in the Search Name text field.

7. Click the Save Custom Report menu expansion arrow and enter a Report

Name and Report Description, and select whether to Share with Others.

8. Click Save Report.

9. Click Run.

User Guide

Figure 11 Report of Logins by username admin t

Using Search Filters |

91

10. Click the number of matches to see the detailed report of the logins by username admin.

Figure 12 Detailed Report of Logins by username admin

Adding Additional Parameters to a Pre-Defined Regular Expression Search

User Guide

92

| Chapter 4 Searching Collected Log Messages

Filter

As shown above, when creating a pre-defined search filter, you can define a parameter field using the expression $fieldname. The value you enter in the parameter replaces $field. In our example, we chose $username as our expression, and typed admin into the User Name field. This caused the regular expression search to return admin users wherever $username was specified.

The maximum length for each $field is 25 characters. Regular expressions can be up to 255 characters in length.

This feature applies only to the Use Exact Phrase search filter and Regular

Expression search.

Creating a Multi-Parameter Pre-Defined Regular Expression Search Filter

In the following example we will build on our single-parameter Logins search filter by adding two additional parameters: $zipcode and $phone.

1. Create a new pre-defined search filter exactly as the example Logins search filter we created above, except this time type $username $zipcode $phone in the

Use Exact Phrase

field.

2. Name your new search filter “Multi-parameter search” and click Add.

This time the new search filter appeared immediately after clicking Add, and both search filters are displayed in the list.

3. Select Search > Regular Expression Search, and select the Pre-Defined radio button; then select the pre-defined search filter that you just created

(Multi-parameter search) from the drop-down menu.

4. The new form reloads, displaying each text field that corresponds to each new

$field (search parameter) you will define for this new search filter. The maximum length for each $field is 25 characters.

5. Click Save Custom Report at the bottom of the form, and enter a report name and description.

6. Click Save Report.

7. Type $username $zipcode $phone in the Use Exact Phrase field.

In this example we typed $username $zipcode $phone in the Use Exact Phrase field.

The Appliance generated a text field in the search form for the part after the $. We typed admin in the username field, and used the wildcard * in the zipcode and phone fields to return the maximum number of user logins.

We elected to Save Custom Report, and named it Multi-parameter search, and we selected Schedule to run immediately for the Hourly Period: Last 24 Hours. See the results of our multi-parameter search filter query in Figure 71 .

User Guide

Using Search Filters |

93

The detailed Multi-parameter Search Report is revealed by clicking the number of matches returned by the search (see the arrow at the bottom of the top figure).

You can define this parameter for the Use Exact Phrase or Regular Expression fields from the Add or Modify page for any search filter.

Figure 13 Multi-parameter Search Filter Results and Report

8. Click the Finished Searches tab to see the results of the Parameter Search.

User Guide

94

| Chapter 4 Searching Collected Log Messages

Modifying a Search Filter

In the second example above we created a new search filter and added two more search parameters: $zipcode and $phone. As an alternative, we could have modified the first search filter we created, “Logins by username admin”

. In the example below, you will see how to modify an existing search filter (assuming you no longer want to retain the original filter configuration).

To modify an existing search filter

1. Select Search > Search Filters from the navigation menu.

2. Click on the name of the filter you want to change.

3. The Modify Search Filter tab appears with the same options as Adding a

Search Filter on page 86 .

4. Modify the search filter name, description, filter options and criteria, or sharing with other users as needed.

5. Now we think that IP address would be more valuable to us than zipcode and phone, so we elect to modify our multi-parameter search filter to suit our new needs. We could also simply delete the filter and create a new one.

6. Click the Update button to modify the search filter.

7. Select Regular Expression Search from the navigation menu.

8. Click the Pre-Defined radio button on the RegEx Search Filter tab.

9. Select Multi-parameter search from the drop-down menu in the Select

Expression

field (but do not enter search parameters until you complete Step

8 below).

10. Click the Save Report button at the bottom of the form and enter a new report name and description. Click Save Report.

11. Return to the search parameter text fields and enter your new parameters

(username = admin, and ipaddress = wildcard *).

12. Click Run.

13. Click Finished Searches and then click the number of matches returned to see the results.

User Guide

Viewing All Saved Index Searches |

95

Viewing All Saved Index Searches

The All Saved Searches screen displays a list of all saved searches for specific types of data based on search expressions and time intervals you have defined and saved in the past. All saved searches and types, such as Index Search, RegEx

Search, Index Report, etc., that are stored in the system are visible on this page.

Click the Run icon and regenerate the report with a different time range, or click the Edit icon and change the saved report parameters before rerunning the report.

You can also filter the list of saved reports displayed by title by typing a key word from the report title in the Find field and pressing Enter. The keyword or words will be highlighted in the resulting list. To restore the full list of saved reports, clear the Find field and press Enter again.

You can also create reports from this page by clicking the down-arrow in the

Create Report

button and selecting among Index Search, Regular Expression

Search, and Real Time Viewer.

For more information on Index Search, see Using Index Search on page 62 .

For more information on Regular Expression Search, see Using Regular

Expression Search on page 79 .

• For more information on Real Time Viewer, see

Viewing Log Messages in Real

Time on page 56 .

User Guide

96

| Chapter 4 Searching Collected Log Messages

Using and Creating All Index Reports

Use the All Index Reports screen to view a list of all saved searches for specific types of data based on search expressions and time intervals you defined. You can use these results to verify information found in your reports.

The results provide the number of hits for each selected search filter, which you can view in a table or a graphical chart. From the table, you can drill down to view the specific hits for a filter in detail similar to Index Search results.

To create an Index Report

1. From Search menu, select All Index Reports submenu.

2. Click Create Report to open the Properties window.

3. Select log sources from the right-hand pane. You can select sources by

Appliance, and filter returns by Name, IP Address, Group or Type.

a. If you picked “Name”, enter a Source Name, a specific Device Name or a

Name Mask. Wild cards are accepted in this field.

b. If you picked "Collector Domain", enter the name of the Collector Domain.

This is the name used to identify each message sent from a specific device.

c. If you picked “IP Address”, enter a Source IP Address, a specific IP

Address or an IP Address Mask. Wild cards are accepted in this field.

d. If you picked “Group”, enter a Group Name, or click the down arrow to the right of the text field and select “All” or one of the other Group names displayed in the drop-down box.

e. If you picked “Type”, enter a Source Type (a specific device type), or click the down arrow to the right of the text field and select “All” or one of the other Device Types displayed in the drop-down box

4. Click <<Add as a rule, and enter a name in the text field of the dynamic rule pop-up.

5. Click OK to add the selected source and filters to the left-hand pane.

6. On the right-hand pane select a device name (or names) from the list by clicking its name.

7. Click <<Add selected log sources to add devices from the selected source to which you want to apply the filters when running the report.

8. Click Columns and Filters to select the columns for your report and choose filters for your results. Click in the field under the Value column and enter a

User Guide

Using and Creating All Index Reports |

97

term for the filter (such as login, id, etc.). Then click in the field under the

Operator column and pick an operator from the drop-down.

Click Apply. The selected operator and value will move to the left-hand column.

9. Click Index Report Search Selections to select from the available expressions to be used in the report. If none are available, click New Expression... to add a new Boolean search expression for use in any Index Report.

10. In the Add Search Expression... popup that appears, enter Name,

Description, Expression, and then click Sharing to define whether others can use or modify the new filter. Click Save.

Do not use < or > in your search expression as these are not valid characters.

11. Place a checkmark next to the new search expression and click << Apply

Selections

to add them to the left-hand pane for use in filtering your report.

Then click Save As.

12. Enter a name and description of the report in the pop-up. Select Share with

others

if desired. Click Save & Close. The new report will appear in the list of all saved Index Reports.

13. Click in the Name field and enter a term to search for entries in the Saved

Reports list. Hit Enter. Any term found in the list of report titles will be highlighted; all other reports not containing the search term will no longer show in the list of Saved Reports. Clear the search term in the Name field and hit Enter to see all Saved Reports again.

14. Click the Run icon in the Actions column. The Date and Time Range Picker pops up, with Last Hour as the default setting. Click the down arrow next to

Last Hour to reveal several other options (Last 2, 3, 6 12 18 or 24 Hours; Today;

Yesterday). Select the timeframe from the Date and Time Range Picker, and click Run again to execute the report.

On the results page, click Display Chart. Both Pie and Bar charts are available.

The chart segments can be highlighted by mousing over them. Right-clicking on the chart or segments opens a print menu.

User Guide

98

| Chapter 4 Searching Collected Log Messages

User Guide

Chapter 5

Creating and Managing Alerts

Creating and Managing Alerts |

99

Alerts notify you of any unusual traffic on the network or detect anomalies on log sources or the LogLogic Appliance itself.

You can create alerts specific to your monitoring needs, and use alerts that come pre-configured with Compliance Suites or Log Source Packages. You can also update existing alerts or remove them as needed. Similarly, you can define a new custom alert template and manage the existing custom alert templates. Using the template variables, you can define the alert email subject and alert message body for custom alerts.

You can import/export the custom alert templates and formats between appliances. For more details, refer to the LogLogic Administration Guide.

For any alert, you can designate SNMP trap receivers, Syslog receivers, and Email recipients so people can receive notification of alerts via email.

Topics

Viewing and Handling Alerts on page 100

Manage Alert Templates on page 102

Adding a New Alert Template Format on page 102

Viewing and Modifying an Alert Template on page 106

Removing an Alert Template on page 106

Managing Alert Rules on page 107

Adding a New Alert Rule on page 108

Modifying or Removing An Alert on page 114

User Guide

100

| Chapter 5 Creating and Managing Alerts

Viewing and Handling Alerts

The Show Triggered Alerts page lists events triggered by rules defined for this

Appliance to monitor and report on. The Show Triggered Alerts page lets you:

• view all alerts

• filter shown alerts by alert category, priority, alert type, and keywords

• view all system alerts only, regardless of priority

• change the alert category to Acknowledged

• delete the alerts permanently

• (MA or Management Station only) view alerts on a specific managed

Appliance or on all managed Appliances

When the Data Privacy mode is enabled, these types of alerts will not be displayed on the Show Triggered Alerts page: VPN Connection Alert, VPN

Statistic Alert, VPN Message Alert, Pre-defined Search Filter Alert, Cisco

PIX/ASA Messages Alert, and Network Policy Alert.

For more information on Data Privacy mode, see Managing System Settings chapter in the LogLogic Administration Guide.

When an alert is triggered, Alert Viewer shows the alert category as New.

To filter and view alerts

1. Choose Alerts > Show Triggered Alerts from the home page.

2. Select the type of alerts to display from the Show drop-down menu.

All States shows all alerts in all categories.

New or Acknowledged Alerts shows only alerts in the selected category.

3. Select the alert priority to view from the second drop-down menu. The options are: All Priorities, High, Medium, Low, and All System Alerts. To view all system alerts regardless of priority, select All System Alerts.

4. Select the type of alert from the third drop-down menu. To view all types of alerts, select All Types.

5. (MA or Management Station only) Select the Appliance from which to view triggered alerts. To aggregate alerts from all managed Appliances into a single list, select All.

6. To filter using the keywords, enter the keywords in the Find field and press

Enter

. To search based on Priority and Type, select the respective drop-down

User Guide

Viewing and Handling Alerts |

101

menus. For the remaining columns, enter the keyword in the Find field to filter the list.

The filtered results will be displayed.

The Show Triggered Alerts page displays the specified alerts with the following details:

Table 21 Alert Details

Element

Time

Description

Time the alert triggered.

Source IP

Priority

Type

Alert Destination

Source IP address contained in the syslog message. If an alert is for multiple devices, Device Group is shown as the Source IP.

The priority of the alert. An alert's priority is specified in the

General

tab.

The Log Appliance alert type. For a list of alert types, see

Table 25 on page 108

and see Table 26 on page 109 .

Email addresses, trap receivers, or syslog receiver where notifications were sent when the alert triggered.

To page through and move alerts

To page through multiple results to your query:

• Use the navigation buttons last page, respectively

to go to the first, previous, next, or

• Type the page number and click to view the results on a specific page

To acknowledge or remove alerts:

• To move alerts to the Acknowledged category, select their checkboxes and click .

• To delete selected alerts, select their checkboxes and click

• To delete all alerts permanently, regardless of priority, click

.

.

Move an alert to the Acknowledged category once you have been notified of the alert. Remove an alert once the cause of the alert is corrected.

User Guide

102

| Chapter 5 Creating and Managing Alerts

Manage Alert Templates

The Manage Alert Templates menu allows you to define a new alert template format and manage the custom alert templates. Using the template variables, you can edit the alert message.

The Manage Alert Templates page displays the following details:

Table 22 Manage Alert Templates Details

Element

Filter By Names

Description

Filter using the template names. Enter the keywords and press

Enter

to view the filtered list.

Name

Type

Template Type

Max Message

Length

Used By Alert(s)

Name of the alert template.

Type of the alert.

Type of template.

Indicates the maximum character length (including the alert email subject and the alert message) that will be displayed.

Click the List link to view a list of alerts used by this template.

Adding a New Alert Template Format

You can define a new alert template format using the Add New Alert Format option.

To add an alert

1. Choose Alerts > Manage Alert Templates from the navigation menu.

2. The Manage Alert Templates page appears.

3. Click the Add New button. The Add New Alert Format window appears.

4. Define a template name in the Name field. This must a unique name for each template.

5. From the Alert Type drop-down menu, select the type of alert.

For an ST Appliance, only four alert types are available: Adaptive Baseline Alert,

Message Volume Alert, Search Filter Alert, and System Alert.

User Guide

Manage Alert Templates |

103

6. Select the Template Type from the drop-down menu. The options are: Email,

Alert History, SNMP Trap, and Syslog. Once you select the template type, the default body for the selected type appears in the Body field.

7. Select a variable from the Variables list.

8. Once you select a variable, the actual string for the selected variable appears in the Variable Text field.

The valid variable string definitions are:

Table 23 Alert Template Variable Definitions

Variable Text

$ALERT_DESCRIPTION

Description

User-defined alert description.

$ALERT_ID

A number specific to the alert type. For example, 050300 for Message Volume Alert.

$ALERT_LOG_SOURCES

A list of log sources assigned to the alert.

$ALERT_NAME

User-defined alert name.

$ALERT_TIME

The time when alert was triggered.

$ALERT_TYPE

Type of Alerts. For example, Message Volume Alert.

$ALERT_URL

The URL that opens a page with alertable event details.

Do not add any special characters after the $ALERT_URL.

$CUSTOM_EMAIL_SUBJE

CT

A portion of email subject that is pre-constructed based on the alert type. This field contains alert type-specific details.

You cannot change this field.

$CUSTOM_STRING

A portion of email body that is pre-constructed based on the alert type. This field contains alert type-specific details.

You cannot change this field.

$CUSTOM_SYSLOG_STRI

NG

A portion of alert syslog message that is pre-constructed based on the alert type. This field contains alert type-specific details. You cannot change this field.

$FILTER

Text of a search-filter that matched as part of Search-filter alert.

$FILTER_NAME

A search-filter name. This filter is assigned to a

Search-filter alert.

User Guide

104

| Chapter 5 Creating and Managing Alerts

Table 23 Alert Template Variable Definitions

Variable Text

$HIGH_THRESHOLD

Description

The high threshold value that was exceeded during alert monitoring.

$LOG

The log message that triggered the alert.

$LOG_SOURCES

The log sources that triggered the alert.

$LOG_SOURCE_IPS

IP addresses of log sources that triggered the alert.

$LOW_THRESHOLD

The low threshold value that was crossed during alert monitoring.

$NUM_EVENTS

Number of alertable events that happened during the reset time. The reset time temporarily suppresses alerts.

$PRIORITY

The alert priority.

$RECIPIENT

$RESET_TIME

Email, syslog, and SNMP where alert was sent to.

Alert reset time. Reset time temporarily suppresses alerts.

$SNMP_STRING

A portion of alert SNMP message that is pre-constructed based on the alert type. This field contains alert type-specific details. You cannot change this field.

$SRC_APPLIANCE

The Appliance that triggered alert.

$TIME_SPAN

$TYPE_SYSLOG

The time span value used in alert definition.

Alert type encoding as used in syslog alert message, i.e.

“MESSAGE_VOLUME_ALERT”, etc.

User Guide

Manage Alert Templates |

105

1. The

$$

variable will be translated as

$

. For example,

$$ALERT_DESCRIPTION

will be displayed on alert history as

$ALERT_DESCRIPTION

.

2. If you define a number before the variable string, then only the specified number of characters will be displayed in the alert message when the variable length is longer. For example, if you specify the variable string as

$10ALERT_DESCRIPTION

, then only first 10 characters will be displayed for alert description. The remaining characters will be truncated.

3. Since some variables, i.e.

$LOW_THRESHOLD and

$HIGH_THRESHOLD

, are not supported for a certain alert type, they may be displayed as empty or 0.

4. When some alerts cannot distinguish log sources that have some messages or do not have any messages, i.e. Message Volume Alert and VPN Statistics Alert, they may list all assigned log sources in the

$LOG_SOURCES

variable.

9. The Maximum Message Length field displays the default maximum character length of the alert email subject and alert message that will be displayed. You can update this value anytime. If the length of the alert email subject and alert message is longer than the specified value, then the email subject will be truncated.

When the selected Template Type is Email, the default maximum character length is 65503.

10. When you select the Template Type as Email, the Subject field appears with default subject. Add or change the subject description that will appear in the email. You must enter either email Subject or email Body. You cannot keep both these fields blank.

You cannot have < subject>, </subject>, <body>

, and

</body> tags in the Subject or

Body

field.

11. Add or change the default body of the selected template type in the Body field. You can select multiple variables. When adding, make sure you copy and paste the exact variable string (from Variable Text field) in the Body field.

12. Click the Add button to save the new template format. The newly added template will be displayed on the Manage Alert Templates page.

Viewing and Modifying an Alert Template

You can only view the default (system defined) alert templates. You cannot edit or delete the default alert templates. However, you can update or delete the custom

(user defined) templates.

User Guide

106

| Chapter 5 Creating and Managing Alerts

To view the default alert template format

1. Choose Alerts > Manage Alert Templates from the navigation menu.

2. Click on the default alert template name to view the format details. The following illustration displays the Network Policy Email template format.

To modify a custom alert template format

1. Choose Alerts > Manage Alert Templates from the navigation menu.

2. The Manage Alert Templates page appears.

3. Click on the template name to update the format details. You can only update the custom alert templates.

4. Make the necessary changes. Click the Update button to save the changes.

5. If you wish to save the template format with a different name for a later use, update the template Name and click Save As.

Removing an Alert Template

You cannot delete the default alert templates. However, you can delete the custom alert templates.

To remove an alert template

1. Choose Alerts > Manage Alert Templates from the navigation menu.

2. Select the checkbox next to the template name and click the Remove selected

template(s)

button (that is located above the list on the top banner). You can only delete the custom templates.

3. Click Yes on the confirmation window to delete the selected alert template.

The confirmation window lists all associated alert rules for the selected template.

When you delete the selected template, all associated alert rules that are using this template will use the default templates.

The selected template will be removed from the Manage Alert Template list.

User Guide

Managing Alert Rules |

107

Managing Alert Rules

Manage Alert Rules

lets you define rules to detect unusual traffic on your network or detect Appliance system anomalies. You can add, modify, or remove alerts. You can configure alerts to generate SNMP events, syslog receiver and/or send an email notification when the alert rule is triggered. Each Appliance includes a default set of alerts. You can modify these alerts and add to them as needed. You do not need to set up an SNMP or syslog server for the default alerts.

If you have the Manage Alerts privileges, you can modify or delete alerts created by other users.

The Manage Alert Rules page displays the following details:

Table 24 Manage Alert Rules Details

Element

Find

Description

F ilter using the keywords. Enter the keywords in the Find field and press Enter.

Name

Type

Priority

Enabled

Name of the alert.

Type of the alert.

The defined priority of the alert.

Indicates whether the alert is active:

—You must assign a User and Alert Receiver for this alert.

Description

—You must assign a Device for this alert.

Description of the alert.

Preconfigured System Alerts

System Alerts notify you when system health and status criteria exceed the acceptable bounds. All LogLogic Appliances include several system alerts that are preconfigured and enabled. By default, these alerts have:

• Email notifications are sent to the Appliance admin user

• Priority set to high

• Default reset time of 300 seconds except (TCP Forward Falling Behind alert has a default reset time of 3600 seconds)

User Guide

108

| Chapter 5 Creating and Managing Alerts

All these alert settings can be customized as needed.

Table 25 Preconfigured System Alerts

Alert

System Alert - CPU

Temperature

Description

The temperature of the Appliance CPU has exceeded the specified High Threshold

System Alert - Disk

Usage

System Alert - Dropped

Message

The usage of the specified drive on the

Appliance has exceeded the specified High

Threshold

The number of messages dropped by the

Appliance has exceeded the specified High

Threshold

System Alert - Fail Over

*

A failover has occurred on the Appliance

System Alert -

Migration Complete *

A data migration involving the Appliance is successfully complete

Default

70 degrees celsius

80%

10 msg/sec n.a.

n.a.

System Alert - Network

Connection Speed

System Alert - Network

Interface

System Alert - RAID

Disk Failure

The speed of the network connection for the

Appliance has dropped below the specified

Low Threshold

A problem occurred with the Appliance network interface

A failure occurred on an Appliance RAID disk

10-Half n.a.

n.a.

System Alert -

Synchronization Failure

*

A failure occurred during log data synchronization on the Appliance n.a.

* Indicates System Alert not available on MA product family Appliances.

Adding a New Alert Rule

Adding an alert to the Appliance involves selecting the type of alert, enabling the alert, specifying the log sources to monitor, and specifying alert recipients (SNMP traps, syslog receivers, and email user IDs).

User Guide

Managing Alert Rules |

109

Modifying an alert lets you change the same options available here for adding an alert.

When setting up an alert, do not pick search expressions with variables in them.

Doing so treats variables as having a literal meaning.

To add an alert rule

1. Choose Alerts > Manage Alert Rules from the navigation menu.

2. Click the Add New button.

3. In the Type tab, select an alert type.

Once you select an alert type, the General tab for that alert type automatically appears. The Devices, Alert Receivers, Email Recipients, and Templates tabs are enabled.

Table 26 Alert Types

Alert Type

Adaptive Baseline

Alert

Triggered when...

The messages/second rate rises above, or falls below, the nominal rate for the traffic.

Note:

A baseline is established after 1 week from the alert activation time. After the baseline is established, the baseline is adjusted every 15 minutes. The new value is averaged in with past baseline.

Cisco PIX/ASA

Messages Alert

Message Volume

Alert

The messages/second rate for a specific PIX/ASA message code is above or below specified rates.

The messages/second rate is above or below specified rates. If the user sets the “Zero Message Alert” checkbox, an alert is triggered only if zero messages are received within the timespan set.

Network Policy Alert

*

A network policy message is received with an Accept or Deny

Policy Action.

The Appliance automatically pulls Check Point firewall rule bases via the Check Point Management Interface (CPMI), but you still must manually enter rules for a Network Policy Alert in the Rules tab.

* The Rules tab appears for Network Policy Alerts, and is accessible only after the new alert is initially saved.

** System Alerts do not have a Devices tab.

User Guide

110

| Chapter 5 Creating and Managing Alerts

Table 26 Alert Types (Cont’d)

Alert Type

Parsed Data Alert

Pre-defined Search

Filter Alert

Ratio Based Alert

System Alert **

Triggered when...

Parsed data meets certain conditions specified for the alert.

Parsed Data alerts are different from other alert types; they are based on Pre-defined Search Filter alerts. See

Parsed Data

Alerts on page 113

.

A text search filter matches message fields. This uses one of the Appliance's saved RegEx Search Filters.

The specified message count is above or below a specified percentage of total messages. For example, “Login Success message count is fewer than 10% of total messages.”

The Appliance checks for any conditions that would trigger a

Ratio Based Alert every 60 seconds.

An Appliance system criteria is exceeded. For example, “Disk usage exceeds 80%”.

By default, System Alerts are prioritized as high. You can change their settings to medium or low if needed.

VPN Connections

Alert

VPN Messages Alert

A VPN connection is denied access and/or disconnected.

The VPN Connections Alert is only applicable to Check Point

VPN, Cisco VPN, Nortel VPN, and RADIUS Accounting device types.

Combinations of specific VPN message area, severity, and code. This alert is applicable to Cisco VPN devices.

VPN Statistics Alert Recorded statistics on VPN or Radius messages match relative or absolute criteria. This alert is applicable to Check Point

VPN, Cisco VPN, Nortel VPN, and RADIUS Accounting device types.

* The Rules tab appears for Network Policy Alerts, and is accessible only after the new alert is initially saved.

** System Alerts do not have a Devices tab.

System Alert is the only type of alert that can be created on an MA Appliance. For the ST Appliance, an Adaptive Baseline Alert, a Message Volume Alert, and a

Pre-defined Search Filter Alert can be created, along with a new System Alert. An

LX Appliance can create all types of Alerts.

User Guide

Managing Alert Rules |

111

The Pre-defined Search Filter is disabled if there are no search filters defined on the Appliance. To create a Pre-defined Search Filter, use Search Filters to add the filter. A search filter for an alert can contain words, phrase or a RegEx expression.

4. Set up the alert in the General tab.

Options on the General tab vary depending on the alert type. For a complete list of options for a specific alert type, see the Online Help for that alert type.

These steps include typical options: a. Enter a Name for the alert.

b. Set the alert Priority. (High is the default.) c. Select to Enable the alert. This enables the alert once you click the Add button

.

d. (Optional) Enter a specific SNMP OID to further define the alert.

For example, this is helpful to define so your administrator/receiver knows that all alerts triggered with this SNMP OID originates from a specific device and alert.

e. Enter a Description for the alert.

Enter a name and description unique enough to easily identify the alert in a large list.

f.

Select the Enable Schedule checkbox to specify the time period for scheduling the alerts. Select the appropriate Time and Day box to specify the schedule. The selected box turns blue. To remove any particular time slot, click on the blue box.

5. Specify log sources for the alert in the Devices tab.

All the log sources on the Appliance are listed in Available Devices. When you move a device to the Selected Devices section, the alerts you configure are activated for those devices. You can define different alerts for different devices.

For available devices where the Collector Domain was specified in a UC the following format; <collector domainid>_<device IP>_<devicetype> will be displayed. For example a windows machine with an IP address of 10.10.10.10 and collector domain will be displayed as 1_10.10.10.10._windows.

Select the Track all devices individually checkbox to generate independent alert messages for each selected device. The reset time tracks for the group as a

User Guide

112

| Chapter 5 Creating and Managing Alerts whole and you can change alert properties using one alert for the device group.

When configuring any alerts (except for System Alerts) on logs transferred using

LogLogic TCP, the alert reporting can be slightly less than real-time. Because

LogLogic TCP sends data in chunks that the Appliance incrementally merges, an alert can appear anywhere between real-time and up to 5 minutes later. As a result, for example, Message Volume rates can be determined when averaging over a 5 minute or greater increment, but do not provide meaningful averages for smaller timespans. For Cisco PIX/ASA Messages alerts, the Timespan setting should be at least 60 seconds.

6. Specify SNMP trap receivers and syslog receivers for the alert in the Alert

Receivers

tab.

You can define alerts for both SNMP traps, syslog receivers and users or for

SNMP traps only. The Alert Receivers tab lists all the available traps and syslog for the Appliance. You must configure SNMP traps, syslog receivers, and/or add specific traps.For more information about Alert Receivers, see the

LogLogic Administration Guide.

7. Specify people to receive alerts via email in the Email Recipients tab.

Email messages that include an alert are limited to 1024 bytes. Any additional alert text is truncated in the email message.

You can define alerts for both users and SNMP traps or for users only.

Available Users

lists all the users available for the Appliance.

For more information about adding users, see the LogLogic Administration

Guide.

8. Select templates for each alert type from the drop-down menu. The Templates tab displays all available templates for each alert type: History, SNMP, Syslog, and Email.

Once you select the template, the format is displayed below.

By default, the Default option for the Alert Email Template is selected to send the default email message. In this case, from the Message Size drop-down, select Long or Short message forms. Place a check in the Enable View Alert

Detail from Email

checkbox to provide additional alert detail in email.

To define or modify template formats, see Manage Alert Templates on page 102 .

9. The Rules tab is enabled only for Network Policy Alerts. The Rules tab allows for defining the Accept (or Deny) Source and Destination IP Address Ranges,

User Guide

Managing Alert Rules |

113

Port Ranges, and Protocols. When adding a Network Policy alert, you must save the alert and then modify it to access the Rules tab.

Use the Rules tab to define parameters for the alert. For example, define firewall policy rules you want to monitor for this alert. A single alert can have a single rule or multiple rules. You must add an alert before defining rules.

You can define up to 1000 rules for each alert. If you leave the fields blank and add the rule, you are still defining an alert. The Appliance accepts all values if you leave the fields blank.

10. Click the Add button to add the new alert to the Appliance.

The Devices, Alert Receivers, and Email Recipients tabs list disabled log sources, receivers, or recipients marked as (disabled). Disabled entries are ignored during processing, but are listed in these tabs so they’re automatically present when enabled again (via the Management > Devices, Administration > Alert

Receivers

, or Management > Users tabs, respectively).

Parsed Data Alerts

Parsed Data alerts are created differently from other alert types. There is no

Parsed Data alert type to select in the interface; its creation is based on a

Pre-defined Search Filter alert. The Filter specifies matching values that are extracted by the parser from the log messages.

To use Parsed Data alert, you need to know the name of the database table where parsed logs will be stored along with the column names. You can find the exact column names using the Management > Column Manager page to create the search filter for this alert type. For more information, see Managing Column

Manager chapter in the LogLogic Administration Guide. When specifying the

matching values, data type should be considered for the relevant table columns.

For example, IP address must be a numeric type, i.e. 32-bit integer and not the string representation such as 169.1.1.1.

1. Create a Pre-defined Search Filter: a. Name the filter.

b. For filter type, select Use Exact Phrase.

c. For the DB table, specify

_table=

. (Only one _ table=

entry is allowed.) d. Specify columns and values to match as name/value pairs separated by columns. For example:

_table=Authentication,actionID=2,statusID=4

User Guide

114

| Chapter 5 Creating and Managing Alerts

2. Create a Pre-defined Search Filter alert: a. Name the Search Filter alert with a prefix

_parsed

. For example,

_parsed_Login Failure

.

b. Select the Pre-defined Search Filter you created for this alert.

Usage notes:

— Parsed data alerts apply only to messages from configured log sources.

— Parsed data alerts apply only to the tables configured in the alert.

— Parsed data alerts are not supported on ST Appliances.

— Do not configure the same alert for both real-time and pulled data files.

Create separate alerts for each, with the same search expression.

Modifying or Removing An Alert

You can modify alert settings or remove alerts from the Manage Alert Rules page.

The same tabs appear when you add an alert (see Adding a New Alert Rule on page 108

.

To edit, or remove an existing alert rule

1. Click the alert name in the Name column.

2. View the settings for the Alert Rule on the General tab, the Alert Receivers tab, the Email Recipients tab, and the Templates tab. Change the settings and click Update or Cancel to retain.

3. To remove an existing alert, click the alert’s checkbox and then click the

Remove button

.

The Remove Alerts tab appears, where you can confirm or cancel the removal.

User Guide

Chapter 6

Generating Real-Time Reports |

115

Generating Real-Time Reports

Real-Time Reports let you search and generate reports for monitoring various real-time activities derived from the log data that is collected from your log sources. Each Real-Time Report category contains multiple specific reports.

Depending on LSP packages, and your selected log sources, you may see different types of reports, columns, and optional filters for each report.

Topics

Preparing a Real-Time Report on page 116

Access Control Reports on page 125

Database Activity Reports on page 134

IBM i5/OS Activity Reports on page 140

Threat Management Reports on page 154

Mail Activity Reports on page 164

Network Activity Reports on page 172

Operational Reports on page 191

Policy Reports on page 198

Enterprise Content Management on page 203

HP NonStop Audit on page 208

IBM z/OS Activity on page 215

Storage Systems Activity on page 222

Flow Activity on page 224

All Saved Reports on page 228

User Guide

116

| Chapter 6 Generating Real-Time Reports

Preparing a Real-Time Report

The Real-Time Reports are a central component to LogLogic’s Agile Reporting, which lets you quickly view detailed information about your collected log data, catered to your specific needs.

Real-Time Reports can take longer than Saved Reports because they run against all up-to-the-minute raw log data, not against stored summarized log data.

Real-Time Reports capture all hits in collected raw log data that meet the report's criteria.

When two devices have the same IP address but only one has a Collector Domain

ID users might see duplicate data (data combined from both domains).

To generate a Real-Time Report, refer to the procedure and illustrations shown in

Generating a Report—An Example on page 120

.

Select a Source or Sources and Search Filters

1. In the navigation menu under Reports, select the category and type of report to generate.

2. Click Create Report to open the Properties window.

User Guide

Preparing a Real-Time Report |

117

3. Under Add Log Sources, click the down arrow next to Select and pick a filter

(Name, Collector Domain IP Address, Group or Type) to filter returns.

a. If you picked “Name”, enter a Source Name, a specific Device Name or a

Name Mask. Wild cards are accepted in this field.

b. If you picked "Collector Domain", enter the name of the Collector Domain.

This is the name used to identify each message sent from a specific device.

c. If you picked “IP Address”, enter a Source IP Address, a specific IP

Address or an IP Address Mask. Wild cards are accepted in this field.

d. If you picked “Group”, enter a Group Name, or click the down arrow to the right of the text field and select “All” or one of the other Group names displayed in the drop-down box.

e. If you picked “Type”, enter a Source Type (a specific device type), or click the down arrow to the right of the text field and select “All” or one of the other Device Types displayed in the drop-down box.

When adding a large number of devices, create a dynamic rule which contains all listed devices. To create a rule, first filter by Name or Type to retrieve the list of devices. Then, click the << Add filters as a rule button that will create a dynamic rule which contains all listed devices on the right pane.

4. If desired, add a second filter by clicking the + sign and repeating Step 3 as often as you like.

5. To delete a filter, click the - sign to remove the last selection made (repeat if needed). Do not click Cancel unless you want to cancel your report.

6. Click <<Add as a rule, and enter a name in the text field of the dynamic rule pop-up.

7. Click OK to add the selected source and filters to the left-hand pane.

8. Select a device name (or names) by clicking its name.

9. Click <<Add selected log sources to add devices from the selected source to which you want to apply the filters when running the report.

10. Click Run to initiate a report of the selected source and devices with the filters you chose in Step 3.

Select Time Frame and Run a Report

1. When you click Run in Step 10, the Date and Time Range Picker pops up, with Last Hour as the default setting. Click the down arrow next to Last Hour to reveal several other options (Last 2, 3, 6 12 18 or 24 Hours; Today;

Yesterday).

User Guide

118

| Chapter 6 Generating Real-Time Reports

2. To select a different date range, click the small calendar icon to the right of the current Date and Hour display and chose any month and day for the start of the report period. Move to the right and click the second small calendar icon to chose any month and day for the end of the report period.

3. Click Run again to execute the report.

Resize & Move Columns, Create Charts, Print and Download a Report

1. On the results page, you may resize and move the columns to the positions you prefer by clicking on them and dragging.

2. To see detailed information for a particular Source device, click the number of returns for the device in the Count column.

3. Click <back to summarized results and then click Display Chart. Both Pie and Bar charts are available. The chart segments can be highlighted by mousing over them. Right-clicking on the chart or segments opens a print menu.

T he charts are populated based on column that is used as a data source. For example, Denied Connections: On Demand (Chart for: Attempts); where Attempts is the column name that is used as a data source for the chart. If you need to display a chart based on different column, you must sort the report by the column, and the column must have numeric values.

4. Reports may be downloaded in CSV, PDF, or HTML format by clicking on the icons below the Display Chart button.

Modify Report Settings and Time Frame

1. Clicking the Edit Settings button opens up a Properties window again, this time allowing you to Add Columns and Filters if desired.

2. Enter your selections for Add Columns and Filters (if any) and click Save As.

3. Enter a name and description for the report in the pop-up window. Select

Share with others

if desired. Click Save & Close.

4. Click Run Again to execute your report with the new filtering criteria. The new report will appear in the list of all Saved Reports (from Reports > All

Saved Reports

).

5. Click the date range (blue type at top left) to modify the timeframe for your report. The Date and Time Range Picker appears, with Last Hour as the

default setting. Follow the steps listed in Select Time Frame and Run a Report on page 117

.

User Guide

Preparing a Real-Time Report |

119

6. From the list of Saved Reports (access Reports > All Saved Reports), you may click Run or Edit to modify the report settings of any Saved Report.

7. To search for a particular report or report series in the Saved Reports list, click in the Find field and enter a search term.

8. Press Enter. Any term found in the list of report titles will be highlighted; all other reports not containing the search term will no longer show in the list of

Saved Reports. Clear the search term in the Find field and press Enter to see all Saved Reports again.

9. You may add a schedule for a Saved Report by clicking the report Name and then clicking Schedule selected.

The Scheduling window opens. You can define a Timeframe, Email

Recipients (pre-defined system users), and Formatting options. Click the

Manage Recipients

button to update the Appliance address book. Using this option, you can add new or modify recipient addresses that are non-defined system users (that are not defined under Management > Users page).

10. You may delete a Saved Report from the list by clicking the report Name and then clicking Remove selected. You will see a pop-up message asking you to

Confirm Deletion

.

Saving a Generated Report

There are several options for saving a generated report, available from the icons at the top of the report results:

• Save as CSV—Downloads and saves the report data in a comma-separated

.csv file, viewable in spreadsheet applications such as Microsoft Excel.

• Save as PDF—Downloads and saves the report data in a PDF file, viewable in

Acrobat format such as Adobe Acrobat Reader.

• View as HTML—Open the report data formatted in a new browser window or tab, from which you can also download the HTML file for archival.

User Guide

120

| Chapter 6 Generating Real-Time Reports

Rerunning a Saved Report

To rerun a saved report, go to Reports > All Saved Reports and select a previously saved report. You may click the Run icon and regenerate the report with a different time range, or click the Edit icon and change the saved report parameters before rerunning the report. All options are available, not just the ones originally selected. You may customize the new report using new filters and wildcards.

Wildcard searches are supported for IP addresses and detailed messages.

Generating a Report—An Example

This example shows how to generate a Network Activity report that displays denied connection activity related to the IP addresses you select. The steps below apply to the generation of all reports on the Appliance except the Check Point

Policies report, which lists current Check Point Firewall policy rules on log sources connected to your Appliance.

The other exception is All Saved Reports, which lists previous search results, saved as reports, and selected to be shared with others at the time of generation.

To generate a Denied Connections Report

1. Select Reports > Network Activity > Denied Connections from the home page menu.

2. Click the Create Report button.

3. Select the log source connected to the Appliance.

4. Select log sources from the list by clicking its name (or names). Click Add

selected log sources

to move them to the Log Sources list.

5. Click Run to run the report.

6. Specify the time interval to search for data passing through the Appliance and click Run.

7. On the Denied Connections results page, adjust the order and position of columns.

User Guide

Preparing a Real-Time Report |

121

8. Select Display Chart to graph the Denied Connections results. Pie chart and bar chart options are available. Mousing over the chart segments highlights the results.

The charts are populated based on column that is used as a data source. For example, Denied Connections: On Demand (Chart for: Attempts); where Attempts is the column name that is used as a data source for the chart. If you need to display a chart based on different column, you must sort the report by the column, and the column must have numeric values.

Figure 14 Denied Connections Report – Pie Chart Display

9. Right-click a chart segment to print the data in the segment.

10. At the top menu, select the CSV, PDF, or HTML icon to export the entire report to a file.

11. To choose another time to run the Denied Connections report, click the date range in the upper left section of the report.

12. Select the date and time and click Run.

13. Click the Edit Settings button to revise columns and filters in the report and

Run

the report again.

User Guide

122

| Chapter 6 Generating Real-Time Reports

To re-run and edit settings of a previously saved report (Denied

Connections):

1. Select Reports > Network Activity > Denied Connections from the Home page.

2. To run the saved report, click the Run icon and then click the Run button on the Date and Time Range Picker that pops up.

3. After the Denied Connections report opens, click the Edit Settings button.

4. Click Properties to open the Properties Dialog pane.

5. Enter your data and click OK.

6. To add a schedule for the Denied Connections report, click the Scheduling link.

The Add a Schedule pane opens on the right side. You can define a

Timeframe, Email Recipients (pre-defined system users), and Formatting options. Click the Manage Recipients button to update the Appliance address book. Using this option, you can add new or modify recipient addresses that are non-defined system users (that are not defined under Management >

Users page).

7. Click the Add Schedule button at the bottom of the Timeframe pane to confirm the schedule for the Denied Connections report.

8. Click Save and Close on the Properties window to save your entries.

9. View the saved schedule for the Denied Connections report.

10. To make further changes to the Denied Connections report, repeat Steps 1 —

9.

Available Operators

Each report has multiple filter operators available that are listed in Table 27 on page 123

.

Some report columns display as empty when the actual value is either null or an empty string.

• If the value is null, you can filter using --null--.

• If the value is an empty string, you can filter using two single quotes ".

User Guide

Preparing a Real-Time Report |

123

Table 27 Optional Filter Operators

Operator

=

Description

Specifies an acceptable substitution for a word in a query.

!= Specifies to not substitute a word in a query. in not in like not like contain

Displays data in the results that contains the specified word in a list.

Excludes data in the results that contains the specified word in a list

Displays data that has a partial match to the value you type.

For example, you can use this operator to type a partial IP address such as 10.2.3.*. This type of search returns all IP addresses which contain these numbers.

Excludes data that contains a partial match to the value you type.

Displays data that matches the alphanumeric string you type.

For example, you can use this operator to type a string such as

'Accessed URL' for any detailed message. This type of search returns all detailed messages which contains, starts with, or ends with the 'Accessed URL' value.

not contain start with

Excludes data that matches the alphanumeric string you type.

Displays data that begins with the alphanumeric value you type.

For example, you can use this operator to type a string such as

'Accessed URL' for any detailed message. This type of search returns all detailed messages which contains, starts with, or ends with the 'Accessed URL' value.

not start with Excludes data that begins with the alphanumeric value you type.

end with Displays data that ends with the alphanumeric value you type.

For example, you can use this operator to type a string such as

'Accessed URL' for any detailed message. This type of search returns all detailed messages which contains, starts with, or ends with the 'Accessed URL' value.

not end with Excludes data that ends with the alphanumeric value you type.

regexp Displays data in the results only that contains the regular expression you define.

User Guide

124

| Chapter 6 Generating Real-Time Reports

Table 27 Optional Filter Operators (Cont’d)

Operator

not regexp

Description

Displays data in the results only that does not contain the regular expression you define.

> Displays only data in the results that is above a threshold number.

< between

Displays only data in the results that is below a threshold number.

Displays data that is between (inclusive) the numeric values you type.

User Guide

Access Control Reports |

125

Access Control Reports

To search for and generate reports on the number of times a selected log source executes an authentication rule, use Access Control reports.

The submenu that appears when you click home: Reports > Access Control lists which reports are available for each log source.

To access Access Control reports

Choose home: Reports > Access Control > report-name from the navigation submenu, where report-name is any one of the following Access Control reports.

Table 28 Access Control Reports

Report

Permission

Modification

Definition

Use the Permission Modification screen to search for and create a report on changes made to user permissions on selected log sources during a specified time interval.

User Access Use the User Access screen to search for and generate a report on user activities in accessing resource (for example, service, file, directory, application) on selected log sources during a specified time interval.

Page

page 126

page 127

User

Authentication

Use the User Authentication screen to search for and generate a report on who has authenticated on selected log sources during a specified time interval.

page 128

User

Created/Deleted

Use the User Created/Deleted screen to search for and generate a report on what users have created or deleted during a specified time interval.

User Last Activity Use the User Last Activity screen to search for and generate a report on activity of users during a specified time interval.

Windows Events Use the Windows Events screen to search for and generate a report on data about all log events from the Microsoft Windows operating systems. For example, the captured log events include, application, security, and system events.

page 129

page 130

page 132

User Guide

126

| Chapter 6 Generating Real-Time Reports

Preparing a Real-Time Report on page 116

includes the common options that you specify for all Real-Time Reports.

Optional filter operators are different for each Access Control report, and are explained in their respective sections.

For information on saving the generated report, see

Saving a Generated Report on page 119

.

Permission Modification Reports

To search for and generate a report on activities related to modification of user permissions (for example, adding or deleting permissions) on selected log sources during a specified time interval, use the Permission Modification Real-Time

Report.

Menu path: home: Reports > Access Control > Permission Modification

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

Optional columns and filters can be sorted in ascending or descending order.

Choose sort order using the drop-down menu. The optional filters are:

Table 29 Permission Modification Report Optional Filter Operators

Option

Source Device

Description

Description of the device that sent these log messages

User User who is making the inquiry

Action

Status

Source IP

Source Domain

Target User

Target IP

Target Domain

Type

Originating

Host

Action taken

Status of the connection

IP address of the source host device

Domain of the source host device

User for whom inquiry is being made

IP address of the accessed Appliance

Domain of the accessed Appliance

Type of connection

The original host name where the event was originally created

User Guide

Access Control Reports |

127

Table 29 Permission Modification Report Optional Filter Operators (Cont’d)

Option

Subsystem

Description

The subsystem of the host

Originating IP

Event Name

Application

Type

Count

The original source IP address where the event was originally created

Name of the event

The type of application that generated the event

Number of connections

For information on saving the generated report, see Saving a Generated Report on page 119

.

User Access Reports

To search for and generate a report on user activities in accessing resources (for example, service, file, directory, application) on selected log sources during a specified time interval, use the User Access Real-Time Report.

Menu path: home: Reports > Access Control > User Access

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The options are:

Table 30 User Access Report Optional Filter Operators

Option

Source Device

Description

Description of the device that sent these log messages

User

Source IP

Source Domain

Target User

Target IP

User who is making the inquiry

IP address of the source host device

Domain of the source host device

User for whom inquiry is being made

IP address of the accessed Appliance

User Guide

128

| Chapter 6 Generating Real-Time Reports

Table 30 User Access Report Optional Filter Operators (Cont’d)

Option

Target Domain

Description

Domain of the accessed Appliance

Group

Action

Status

Type

Originating Host

Subsystem

Originating IP

Event Name

Application Type

Count

The name of the Policy group

Action taken

Status of the connection

Type of connection

The original host name where the event was originally created

The subsystem of the host

The original source IP address where the event was originally created

Name of the event

The type of application that generated the event

Number of connections

For information on saving the generated report, see

Saving a Generated Report on page 119

.

User Authentication Reports

To search for and generate a report on who has authenticated on selected log sources during a specified time interval, use the User Authentication Real-Time

Report.

Menu path: home: Reports > Access Control > User Authentication

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

User Guide

Access Control Reports |

129

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display only the Source

Device, User, Source IP, Status, and Count.

Table 31 User Authentication Report Optional Filter Operators

Option

Source Device

Description

Description of the device that sent these log messages

User

Source IP

Source Domain

Target User

Group

Originating Host

Subsystem

Originating IP

Event Name

Application Type

Status

Type

Disconnect Reason

Count

User who is making the inquiry

IP address of the source host device

Domain of the source host device

User for whom the inquiry is made

The name of the Policy group

The original host name where the event was originally created

The subsystem of the host

The original source IP address where the event was originally created

Name of the event

The type of application that generated the event

Status of the connection

Type of connection

Reason the connection was terminated

Number of connections

For information on saving the generated report, see Saving a Generated Report on page 119

.

User Created/Deleted Reports

To search for and generate a report on what users have been created or deleted on selected log sources during a specified time interval, use the Users

Created/Deleted Real-Time Report.

Menu path: home: Reports > Access Control > User Created/Deleted

User Guide

130

| Chapter 6 Generating Real-Time Reports

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display only the Source

Device, User, Source IP, Target User, Target IP, and Count.:

Table 32 User Created/Deleted Report Optional Filter Operators

Option

Source Device

Description

Description of the device that sent these log messages

User

Source IP

Target User

Target IP

Originating Host

Subsystem

Originating IP

Event Name

Application Type

Action

Action Details

Status

Count

User who is making the inquiry

IP address of the source host device

User for whom the inquiry is being made

IP address of the accessed Appliance

The original host name where the event was originally created

The subsystem of the host

The original source IP address where the event was originally created

Name of the event

The type of application that generated the event

Action taken

Details of the action

Status of use

Number of connections

For information on saving the generated report, see

Saving a Generated Report on page 119

.

User Last Activity Reports

To search for and generate a report on the most recent activity of all users on selected log sources during a specified time interval, use the User Last Activity report.

User Guide

Access Control Reports |

131

Menu path: home: Reports > Access Control > User Last Activity

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:

Table 33 User Last Activity Report Optional Filter Operators

Option

Source Device

Description

Description of the device that sent these log messages

Time

Connection ID

User

Source IP

Target User

Target IP

Action

Action Details

Status

Originating Host

Subsystem

Originating IP

Event Name

Application Type

Access Details

Time of connection

ID number for the connection

User who is making the inquiry

IP address of the source host device

User for whom the inquiry is being made

IP address of the accessed Appliance

Action taken

Details of the action

Status of the activity

The original host name where the event was originally created

The subsystem of the host

The original source IP address where the event was originally created

Name of the event

The type of application that generated the event

Details of access

For information on saving the generated report, see Saving a Generated Report on page 119

.

User Guide

132

| Chapter 6 Generating Real-Time Reports

Windows Events Reports

To search for and generate a report on data on all Windows Event IDs, the number of events for each ID, and a description of each ID for selected log sources running the Microsoft Windows operating systems, use the Windows Events Real-Time

Report. For example, the captured log events include application, security, and system events.

Menu path: home: Reports > Access Control > Windows Events

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display only the Source

Device, Event ID, and Count.

Table 34 Windows Events Report Optional Filter Operators

Option

Source Device

Description

Description of the device that sent these log messages

Event ID Numeric ID corresponding to the source device

User

Source Domain

Target User

Target Domain

Originating Host

Subsystem

Originating IP

Event Name

Application Type

Action

Status

Type

Count

User ID on the source device

Domain name of the source device

User ID of the destination device

Domain name of the destination device

The original host name where the event was originally created

The subsystem of the host

The original source IP address where the event was originally created

Name of the event

The type of application that generated the event

Action taken

Status of use

Content type of the object as seen in the HTTP reply header

Number of Windows events for the source device

User Guide

Access Control Reports |

133

For information on saving the generated report, see Saving a Generated Report on page 119

.

User Guide

134

| Chapter 6 Generating Real-Time Reports

Database Activity Reports

To search for and generate reports on various events occurring on database server log sources, use the Database Activity reports.

To access Database Activity reports

Choose home: Reports > Database Activity > report-name from the navigation menu, where report-name is any one of the following reports:

Table 35 Database Activity Reports

Report

All Database Events

Description

Use the All Database Events screen to search for and generate a report on the event types that are occurring.

Database Access Use the Database Access screen to search for and generate a report on all database server connections including user access and failed user access attempts.

Database Data Access Use the Database Data Access screen to search for and generate a report on user access and changes to your data for a specified time period.

Database Privilege

Modifications

Use the Database Privilege Modifications screen to search for and generate a report on database privilege changes, such as user reconfiguration and privilege manipulation.

Database System

Modifications

Use the Database System Modifications screen to search for and generate a report on system database changes such as drops and table drops.

Page

page 135

page 136

page 137

page 138

page 139

Preparing a Real-Time Report on page 116

includes the common options that you specify for all Real-Time Reports.

Optional filter operators are different for each Database Activity report, and explained in their respective sections.

For information on saving the generated report, see

Saving a Generated Report on page 119

.

User Guide

Database Activity Reports |

135

All Database Events Reports

To search for and generate a report on the event types that are occurring on specified database server log sources during a specified time interval, use the All

Database Events Real-Time Report.

Menu path: home: Reports > Database Activity > All Database Events

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are selected: Source Device, Database, Event Type ID, Event Type Name, Count.

Table 36 All Database Events Report Optional Filter Operators

Option

Source Device

Description

Description of the device that sent these log messages

Database Database name on which the action occurred

DB User

Sys Priv

Database Object

Name

Status

Severity

OS User

Event Type ID

Event Type Name

Object Priv

Count

User name of the database user whose actions were audited

System privileges granted or revoked

Name of the object affected by the action

Status or return code of the action completion (numeric value)

Severity level of the event

Operating system login user name of the user whose actions were audited

Database vendor audit code for the action type

Type of database event such as DROP_TABLE, SQL_UPDATE, or

CREATE_TABLE (names vary by vendor)

Object privileges granted or revoked on the database object

Number of log entries returned with the given parameters

For information on saving the generated report, see Saving a Generated Report on page 119

.

User Guide

136

| Chapter 6 Generating Real-Time Reports

Database Access Report

To search for and generate a report on all database server connections, including user access and failed user access attempts, on specified database server log sources during a specified time interval, use the Database Access Real-Time

Report.

Menu path: home: Reports > Database Activity > Database Access

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are selected: Source Device, Database, Event Type ID, Event Type Name, Count.

Table 37 Database Access Report Optional Filter Operators

Option

Source Device

Description

Description of the device that sent log data

Database Database name on which the action occurred

DB User

Sys Priv

Database Object

Name

Status

Severity

OS User

Event Type ID

Access Type

Object Priv

Count

User name of the database user whose actions were audited

System privileges granted or revoked

Name of the object affected by the action

Status or return code of the action completion (numeric value)

Severity level of the event

Operating system login user name of the user whose actions were audited

Database vendor audit code for the action type

The action or method used to access any database object

Object privileges granted or revoked on the database object

Number of log entries returned with the given parameters

For information on saving the generated report, see

Saving a Generated Report on page 119

.

User Guide

Database Activity Reports |

137

Database Data Access Report

To search for and generate a report on user access and changes to your data on specified database server log sources during a specified time interval, use the

Database Data Access Real-Time Report.

Menu path: home: Reports > Database Activity > Database Data Access

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are selected: Source Device, Database, Event Type ID, Event Type Name, Count.

Table 38 Database Data Access Report Optional Filter Operators

Option

Source Device

Description

Description of the device that sent log data

Database Database name on which the action occurred

DB User

Sys Priv

Database Object

Name

Status

Severity

OS User

Event Type ID

Access Type

Object Priv

Count

User name of the database user whose actions were audited

System privileges granted or revoked

Name of the object affected by the action

Status or return code of the action completion (numeric value)

Severity level of the event

Operating system login user name of the user whose actions were audited

Database vendor audit code for the action type

The action or method used to access any database object

Object privileges granted or revoked on the database object

Number of log entries returned with the given parameters

For information on saving the generated report, see Saving a Generated Report on page 119

.

User Guide

138

| Chapter 6 Generating Real-Time Reports

Database Privilege Modifications Report

To search for and generate a report on database privilege changes, such as user reconfiguration and privilege manipulation, on specified database server log sources during a specified time interval, use the Database Privilege Modifications

Real-Time Report.

Menu path: home: Reports > Database Activity > Database Privilege

Modifications

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are selected: Source Device, Database, DB User, Modification Type, Object Priv, and

Count.

Table 39 Database Privilege Modifications Report Optional Filter Operators

Advanced Option Description

Source Device Description of the device that sent log data

Database Database name on which the action occurred

DB User

Sys Priv

Database Object

Name

Status

Severity

OS User

Event Type ID

Modification Type

Object Priv

Count

User name of the database user whose actions were audited

System privileges granted or revoked

Name of the object affected by the action

Status or return code of the action completion (numeric value)

Severity level of the event

Operating system login user name of the user whose actions were audited

Database vendor audit code for the action type

Modification action of a user, profile, or role privilege

Object privileges granted or revoked on the database object

Number of log entries returned with the given parameters

For information on saving the generated report, see

Saving a Generated Report on page 119

.

User Guide

Database Activity Reports |

139

Database System Modifications Report

To search for and generate a report on system database changes such as drops and table drops, use the Database System Modifications Real-Time Report.

Menu path: home: Reports > Database Activity > Database System

Modifications

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are selected: Source Device, Database, DB User, Database Object Name,

Access/Modification Type, and Count.

Table 40 Database System Modifications Report Optional Filter Operators

Option

Source Device

Description

Description of the device that sent log data

Database Database name on which the action occurred

DB User

Sys Priv

Database Object

Name

Status

Severity

OS User

User name of the database user whose actions were audited

System privileges granted or revoked

Name of the object affected by the action

Status or return code of the action completion (numeric value)

Severity level of the event

Operating system login user name of the user whose actions were audited

Event Type ID

Access/Modification

Type

Object Priv

Count

Database vendor audit code for the action type

Modification action of a user, profile, or role privilege

Object privileges granted or revoked on the database object

Number of log entries returned with the given parameters

For information on saving the generated report, see Saving a Generated Report on page 119

.

User Guide

140

| Chapter 6 Generating Real-Time Reports

IBM i5/OS Activity Reports

To search for and generate reports on various events occurring on your IBM i5/OS log sources, use IBM i5/OS Activity reports.

To access IBM i5/OS Activity reports

Choose home: Reports > IBM i5/OS Activity > report-name from the navigation menu, where report-name is any one of the following reports:

Table 41 IBM i5/OS Activity Reports

Report

All Log Entry Types

Description

Use the IBM i5/OS Activity All Log Entry

Types

screen to search for and generate a report on all recorded entry types.

System Object Access

User Access by

Connection

User Actions

Use the IBM i5/OS Activity System Object

Access

screen to search for and generate a report on all failed access attempts throughout the system.

Use the IBM i5/OS Activity User Access by

Connection

screen to search for and generate a report on all system access and system access attempts by user.

Use the IBM i5/OS Activity User Actions screen to search for and generate a report on all user actions performed and attempted.

User Jobs

Page

page 141

page 143

page 146

page 148

Use the IBM i5/OS Activity User Jobs screen to search for and generate a report on all jobs that users are running.

page 151

Preparing a Real-Time Report on page 116

includes the common options that you specify for all Real-Time Reports.

Optional filter operators are different for each Database Activity report, and explained in their respective sections.

For information on saving the generated report, see

Saving a Generated Report on page 119

.

User Guide

IBM i5/OS Activity Reports |

141

All Log Entry Types Reports

To search for and generate a report on all recorded entry types, use the All Log

Entry Types Real-Time Report.

Menu path: home: Reports > IBM i5/OS Activity > All Log Entry Types

Preparing a Real-Time Report on page 116

includes the common options that you specify for all Real-Time Reports.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu.

Table 42 All Log Entry Types Reports Optional Filter Operators

Option

Source Device

Field

devIP

Description

IP address of the device that sent log data

Journal Type jrnEntryType

Journal Description jrnTypeDesc

Two-character Audit Journal record

(entry) type

Description of the journal entry type

Journal Job jobName

Journal User

Journal Number

Journal Program

Journal Library

Journal System Name

Journal Remote Port

Journal Remote

Address

Action

Action Description jrnUserName jrnJobNbr jrnPgm jrnPgmLib jrnSyName jrnRmtPort jrnRmtIPAdr action actionDesc

Name of the job that caused the entry to be created

Profile name of the user associated with

Journal Job

Job number of the Journal Job

Name of the program that created the entry

Program library

Name of the system where the journal resides

Remote port of the system associated with the journal entry

Network address of the system associated with this entry

An action associated with the entry type

Description of the action

User Guide

142

| Chapter 6 Generating Real-Time Reports

Table 42 All Log Entry Types Reports Optional Filter Operators (Cont’d)

Option

Attribute Name

Field

attribute

Description

Name of an attribute that was the target of the action

Attribute Description attributeDesc Description of the attribute (if available)

Destination Server destServer

DLO Folder

DLO User

Entry Type

Entry Description

Job Name

Job Number

Job User

Local IP Address

Object Library

Object Name

Object Type

Remote IP Address

DLOFolder

DLOUser entryType entryDesc jobName jobNumber jobUser lclIPadr lib obj objType rmtIPadr

Name of a remote workstation or server in a network event

Name of the Document Library Object folder

Name of the Document Library Object owner or user creating or accessing the

DLO

Type of event or entry in the journal type

(can be considered a subtype of the journal type)

Description of the entry

Name of the Journal Job or the job that was the target of the action described in the entry

Number of the Journal Number or the job that was the target of the action described in the entry

The Journal User of profile name of the user associated with the job that was the target of the action described in the entry

Local IP address of the system involved in the network event

Library of the object that was acted on

Name of the object that was acted on

Type of object that was acted on

Remote IP address of the system involved in the network event

User Guide

IBM i5/OS Activity Reports |

143

Table 42 All Log Entry Types Reports Optional Filter Operators (Cont’d)

Option

Source Server

Field

srcServer

Description

Name of a workstation or server where the audited event occurred, or that was the source system in a network event

Status

Status Description status statusDesc

User ID/Profile

Journal Code

Count user details

(computed by the Appliance)

Status code

Description of the status code (if available)

A user ID (UID) or user profile involved in the recorded event; typically the originator or target of the event

Provides event details.

A count of action attempts, entries, or other count information; dependent on

Journal and Entry type

For information on saving the generated report, see Saving a Generated Report on page 119

.

System Object Access Reports

To search for and generate a report on all failed access attempts throughout the system, use the System Object Access Real-Time Report.

Menu path: home: Reports > IBM i5/OS Activity > System Object Access

Preparing a Real-Time Report on page 116

includes the common options that you specify for all Real-Time Reports.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu.

Table 43 System Object Access Reports Optional Filter Operators

Option

Source Device

Field

devIP

Description

IP address of the device that sent log data

Journal Type jrnEntryType

Journal Description jrnTypeDesc

Two-character Audit Journal record

(entry) type

Description of the journal entry type

User Guide

144

| Chapter 6 Generating Real-Time Reports

Table 43 System Object Access Reports Optional Filter Operators (Cont’d)

Option

Journal Job

Field

jobName

Description

Name of the job that caused the entry to be created

Journal User jrnUserName

Journal Number jrnJobNbr

Profile name of the user associated with

Journal Job

Job number of the Journal Job

Journal Program jrnPgm

Journal Library

Journal System Name

Journal Remote Port

Journal Remote

Address

Action

Action Description

Attribute Name

Attribute Description

Destination Server

DLO Folder

DLO User

Entry Type

Entry Description jrnPgmLib jrnSyName jrnRmtPort jrnRmtIPAdr action actionDesc attribute attributeDesc destServer

DLOFolder

DLOUser entryType entryDesc

Name of the program that created the entry

Program library

Name of the system where the journal resides

Remote port of the system associated with the journal entry

Network address of the system associated with this entry

An action associated with the entry type

Description of the action

Name of an attribute that was the target of the action

Description of the attribute (if available)

Name of a remote workstation or server in a network event

Name of the Document Library Object folder

Name of the Document Library Object owner or user creating or accessing the

DLO

Type of event or entry in the journal type

(can be considered a subtype of the journal type)

Description of the entry

User Guide

IBM i5/OS Activity Reports |

145

Table 43 System Object Access Reports Optional Filter Operators (Cont’d)

Option

Job Name

Field

jobName

Description

Name of the Journal Job or the job that was the target of the action described in the entry

Job Number jobNumber

Job User

Local IP Address

Object Library

Object Name

Object Type

Remote IP Address

Source Server

Status

Status Description

User ID/Profile

Journal Code

Count jobUser lclIPadr lib obj objType rmtIPadr srcServer status statusDesc user details

(computed by the Appliance)

Number of the Journal Number or the job that was the target of the action described in the entry

The Journal User of profile name of the user associated with the job that was the target of the action described in the entry

Local IP address of the system involved in the network event

Library of the object that was acted on

Name of the object that was acted on

Type of object that was acted on

Remote IP address of the system involved in the network event

Name of a workstation or server where the audited event occurred, or that was the source system in a network event

Status code

Description of the status code (if available)

A user ID (UID) or user profile involved in the recorded event; typically the originator or target of the event

Provides event details.

A count of action attempts, entries, or other count information; dependent on

Journal and Entry type

For information on saving the generated report, see Saving a Generated Report on page 119

.

User Guide

146

| Chapter 6 Generating Real-Time Reports

User Access By Connection Reports

To search for and generate a report on all system access and system access attempts by users, use the User Access By Connection Real-Time Report.

Menu path: home: Reports > IBM i5/OS Activity > User Access By Connection

Preparing a Real-Time Report on page 116

includes the common options that you specify for all Real-Time Reports.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu.

Table 44 User Access By Connection Reports Optional Filter Operators

Option

Source Device

Field

devIP

Description

IP address of the device that sent log data

Journal Type jrnEntryType

Journal Description jrnTypeDesc

Two-character Audit Journal record

(entry) type

Description of the journal entry type

Journal Job jobName

Journal User

Journal Number

Journal Program

Journal Library

Journal System Name

Journal Remote Port

Journal Remote

Address

Action

Action Description jrnUserName jrnJobNbr jrnPgm jrnPgmLib jrnSyName jrnRmtPort jrnRmtIPAdr action actionDesc

Name of the job that caused the entry to be created

Profile name of the user associated with

Journal Job

Job number of the Journal Job

Name of the program that created the entry

Program library

Name of the system where the journal resides

Remote port of the system associated with the journal entry

Network address of the system associated with this entry

An action associated with the entry type

Description of the action

User Guide

IBM i5/OS Activity Reports |

147

Table 44 User Access By Connection Reports Optional Filter Operators (Cont’d)

Option

Attribute Name

Field

attribute

Description

Name of an attribute that was the target of the action

Attribute Description attributeDesc Description of the attribute (if available)

Destination Server destServer

DLO Folder

DLO User

Entry Type

Entry Description

Job Name

Job Number

Job User

Local IP Address

Object Library

Object Name

Object Type

Remote IP Address

DLOFolder

DLOUser entryType entryDesc jobName jobNumber jobUser lclIPadr lib obj objType rmtIPadr

Name of a remote workstation or server in a network event

Name of the Document Library Object folder

Name of the Document Library Object owner or user creating or accessing the

DLO

Type of event or entry in the journal type

(can be considered a subtype of the journal type)

Description of the entry

Name of the Journal Job or the job that was the target of the action described in the entry

Number of the Journal Number or the job that was the target of the action described in the entry

The Journal User of profile name of the user associated with the job that was the target of the action described in the entry

Local IP address of the system involved in the network event

Library of the object that was acted on

Name of the object that was acted on

Type of object that was acted on

Remote IP address of the system involved in the network event

User Guide

148

| Chapter 6 Generating Real-Time Reports

Table 44 User Access By Connection Reports Optional Filter Operators (Cont’d)

Option

Source Server

Field

srcServer

Description

Name of a workstation or server where the audited event occurred, or that was the source system in a network event

Status

Status Description status statusDesc

Status code

Description of the status code (if available)

User ID/Profile user

Journal Code

Count details

(computed by the Appliance)

A user ID (UID) or user profile involved in the recorded event; typically the originator or target of the event

Provides event details.

A count of action attempts, entries, or other count information; dependent on Journal and Entry type

For information on saving the generated report, see

Saving a Generated Report on page 119

.

User Actions Reports

To search for and generate a report on all user actions performed and attempted, use the User Actions Real-Time Report.

Menu path: home: Reports > IBM i5/OS Activity > User Actions

Preparing a Real-Time Report on page 116

includes the common options that you specify for all Real-Time Reports.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu.

Table 45 User Actions Reports Optional Filter Operators

Option

Source Device

Field

devIP

Description

IP address of the device that sent log data

User Guide

IBM i5/OS Activity Reports |

149

Table 45 User Actions Reports Optional Filter Operators (Cont’d)

Option

Journal Type

Field

jrnEntryType

Description

Two-character Audit Journal record

(entry) type

Journal Description jrnTypeDesc Description of the journal entry type

Journal Job jobName

Journal User

Journal Number

Journal Program

Journal Library

Journal System Name

Journal Remote Port

Journal Remote

Address

Action

Action Description

Attribute Name

Attribute Description

Destination Server

DLO Folder

DLO User jrnUserName jrnJobNbr jrnPgm jrnPgmLib jrnSyName jrnRmtPort jrnRmtIPAdr action actionDesc attribute attributeDesc destServer

DLOFolder

DLOUser

Name of the job that caused the entry to be created

Profile name of the user associated with

Journal Job

Job number of the Journal Job

Name of the program that created the entry

Program library

Name of the system where the journal resides

Remote port of the system associated with the journal entry

Network address of the system associated with this entry

An action associated with the entry type

Description of the action

Name of an attribute that was the target of the action

Description of the attribute (if available)

Name of a remote workstation or server in a network event

Name of the Document Library Object folder

Name of the Document Library Object owner or user creating or accessing the

DLO

User Guide

150

| Chapter 6 Generating Real-Time Reports

Table 45 User Actions Reports Optional Filter Operators (Cont’d)

Option

Entry Type

Field

entryType

Description

Type of event or entry in the journal type

(can be considered a subtype of the journal type)

Entry Description

Job Name entryDesc jobName

Job Number

Job User

Local IP Address

Object Library

Object Name

Object Type

Remote IP Address

Source Server

Status

Status Description

User ID/Profile

Journal Code jobNumber jobUser lclIPadr lib obj objType rmtIPadr srcServer status statusDesc user details

Description of the entry

Name of the Journal Job or the job that was the target of the action described in the entry

Number of the Journal Number or the job that was the target of the action described in the entry

The Journal User of profile name of the user associated with the job that was the target of the action described in the entry

Local IP address of the system involved in the network event

Library of the object that was acted on

Name of the object that was acted on

Type of object that was acted on

Remote IP address of the system involved in the network event

Name of a workstation or server where the audited event occurred, or that was the source system in a network event

Status code

Description of the status code (if available)

A user ID (UID) or user profile involved in the recorded event; typically the originator or target of the event

Provides event details.

User Guide

IBM i5/OS Activity Reports |

151

Table 45 User Actions Reports Optional Filter Operators (Cont’d)

Option

Count

Field

(computed by the Appliance)

Description

A count of action attempts, entries, or other count information; dependent on Journal and Entry type

For information on saving the generated report, see Saving a Generated Report on page 119

.

User Jobs Reports

To search for and generate a report on all jobs that users are running, use the User

Jobs Real-Time Report.

Menu path: home: Reports > IBM i5/OS Activity > User Jobs

Preparing a Real-Time Report on page 116

includes the common options that you specify for all Real-Time Reports.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu.

Table 46 User Jobs Reports Optional Filter Operators

Option

Source Device

Field

devIP

Description

IP address of the device that sent log data

Journal Type jrnEntryType

Journal Description jrnTypeDesc

Two-character Audit Journal record

(entry) type

Description of the journal entry type

Journal Job jobName

Journal User

Journal Number

Journal Program

Journal Library jrnUserName jrnJobNbr jrnPgm jrnPgmLib

Name of the job that caused the entry to be created

Profile name of the user associated with

Journal Job

Job number of the Journal Job

Name of the program that created the entry

Program library

User Guide

152

| Chapter 6 Generating Real-Time Reports

Table 46 User Jobs Reports Optional Filter Operators (Cont’d)

Option

Journal System Name

Field

jrnSyName

Description

Name of the system where the journal resides

Journal Remote Port jrnRmtPort

Journal Remote

Address

Action jrnRmtIPAdr action

Remote port of the system associated with the journal entry

Network address of the system associated with this entry

An action associated with the entry type

Action Description

Attribute Name actionDesc attribute

Attribute Description

Destination Server

DLO Folder

DLO User

Entry Type

Entry Description

Job Name

Job Number

Job User attributeDesc destServer

DLOFolder

DLOUser entryType entryDesc jobName jobNumber jobUser

Description of the action

Name of an attribute that was the target of the action

Description of the attribute (if available)

Name of a remote workstation or server in a network event

Name of the Document Library Object folder

Name of the Document Library Object owner or user creating or accessing the

DLO

Type of event or entry in the journal type

(can be considered a subtype of the journal type)

Description of the entry

Name of the Journal Job or the job that was the target of the action described in the entry

Number of the Journal Number or the job that was the target of the action described in the entry

The Journal User of profile name of the user associated with the job that was the target of the action described in the entry

User Guide

IBM i5/OS Activity Reports |

153

Table 46 User Jobs Reports Optional Filter Operators (Cont’d)

Option

Local IP Address

Field

lclIPadr

Description

Local IP address of the system involved in the network event

Object Library lib Library of the object that was acted on

Object Name

Object Type

Remote IP Address

Source Server

Status

Status Description

User ID/Profile

Journal Code

Count obj objType rmtIPadr srcServer status statusDesc user details

(computed by the Appliance)

Name of the object that was acted on

Type of object that was acted on

Remote IP address of the system involved in the network event

Name of a workstation or server where the audited event occurred, or that was the source system in a network event

Status code

Description of the status code (if available)

A user ID (UID) or user profile involved in the recorded event; typically the originator or target of the event

Provides event details.

A count of action attempts, entries, or other count information; dependent on

Journal and Entry type

For information on saving the generated report, see Saving a Generated Report on page 119

.

User Guide

154

| Chapter 6 Generating Real-Time Reports

Threat Management Reports

To search for and generate reports on information about threat management, use the Threat Management reports.

To access Threat Management reports

Choose home: Reports > Threat Management from the navigation menu:

Table 47 Threat Management Reports

Report

IDS/IPS Activity

Description

Use the IDS/IPS Activity screen to search for and generate a report on all attack activities from Intrusion

Detection/Prevention Systems (IDS/IPS).

Threat Activity

Page

page 155

Configuration Activity

Scan Activity

Security Summary

DB IPS Activity

Use the Threat Activity screen to search for and generate a report on threats detected, eliminated, quarantined, and detected but unable to be mitigated.

Use the Configuration Activity screen to search for and generate a report on the following data; signature file installed, software update, configuration loaded.

page 156

page 157

Use the Scan Activity screen to search for and generate a report on the following data; scan delayed, scan aborted.

Use the Security Summary screen to search for and generate a report on summarized user and computer activity alongside other product’s security interactions.

page 159

page 160

Use the DB IPS Activity screen to search for and generate a report on data (i.e. username, client/server IP addresses etc.) for various database intrusion prevention events.

page 160

User Guide

Threat Management Reports |

155

Table 47 Threat Management Reports (Cont’d)

Report

HIPS Activity

Description

Use the HIPS Activity screen to search for and generate a report on alerts from

IPS/IDS signatures, DDOS attacks and port scan occurrences.

Page

page 162

Preparing a Real-Time Report on page 116

includes the common options that you specify for Real-Time Reports.

For information on saving the generated report, see Saving a Generated Report on page 119

.

IDS/IPS Activity Reports

To search for and generate a report on all attack activities from IDS/IPS systems, use the IDS/IPS Activity Real-Time Report.

Menu path: home: Reports > Threat Management > IDS/IPS Activity

For this report, you can select to view various options in the generated report for your Appliance. Optional filter operators can be sorted in Ascending or

Descending order. Choose sort order using the drop-down menu. The default is to display only Log Source IP, Source IP, Destination IP, Destination Port, Signature, and Count:

Table 48 IDS/IPS Activity Report Optional Filter Operators

Option

Log Source IP

Description

IP address of the device that sent these log messages

Source IP

Source Port

IP address from which the attack originated

Port from which the attack originated

Destination IP IP address that was targeted

Destination Port Port that was targeted

Action Response of the intrusion prevention system (IPS) when it detects an attack reported by the IDS/IPS

Note

: If you do not have an IPS associated with your

IDS/IPS, you might not see any results if using this filter.

User Guide

156

| Chapter 6 Generating Real-Time Reports

Table 48 IDS/IPS Activity Report Optional Filter Operators (Cont’d)

Option

Signature ID

Description

Rule or numeric ID for the event

Note

: The Signature ID from the vendor might be more consistent than the Signature.

Protocol Protocol of the destination device

Signature

Sensor

Sensor IP

Classification

Priority

Count

Identifier from IDS/IPS for an event

Device that sends events to a collector analysis system

IP address of the device that detected the event

Type of attack

Priority level of the attack

Number of attacks.

For information on saving the generated report, see

Saving a Generated Report on page 119

.

Threat Activity Reports

To search for and generate a report on all threats detected, eliminated, quarantined, and detected but unable to be mitigated, use the Threat Activity

Real-Time Report.

Menu path: home: Reports > Threat Management > Threat Activity

For this report, you can select to view various options in the generated report for your Appliance. Optional filter operators can be sorted in Ascending or

Descending order. Choose sort order using the drop-down menu. The default is to display only Source Device, Event Name, Category , User Name, Target User,

Action, Status, and Count:

Table 49 Threat Activity Report Optional Filter Operators

Option

Source Device

Description

IP address of the device that sent these log messages

Event ID Numeric ID corresponding to the source device

Event Type Type of event

User Guide

Threat Management Reports |

157

Table 49 Threat Activity Report Optional Filter Operators (Cont’d)

Option

Category

Description

The category of the event

Event Response

Status ID

Severity ID

Severity Name

User Name

Target User

Target Group

Threat Name

Response to the event

The ID of the status

The severity ID

The name of the severity code associated with the event

Name of the user who is making the inquiry

User for whom the inquiry is being made

Group for who the inquiry is being made

Name of the threat

Source IP

Destination IP

IP address from which the attack originated

IP address that was targeted

Destination Host Host that was targeted

Analyzer Name Name of the analyzer

Analyzer

Version

The version of the analyzer

Data Version

Action

Status

Count

The version of the data associated with the event

An action associated with the entry type

Status of the connection

Number of attacks.

For information on saving the generated report, see Saving a Generated Report on page 119

.

Configuration Activity Reports

To search for and generate a report on all data such as; signature file installed, software update, and configuration loaded, use the Configuration Activity

Real-Time Report.

User Guide

158

| Chapter 6 Generating Real-Time Reports

Menu path: home: Reports > Threat Management > Configuration Activity

For this report, you can select to view various options in the generated report for your Appliance. Optional filter operators can be sorted in Ascending or

Descending order. Choose sort order using the drop-down menu. The default is to display only Source Device, Event Name, Category , User Name, Target User

Name, Action, Status, and Count:

Table 50 Configuration Activity Report Optional Filter Operators

Option

Source Device

Description

Source device that sent these log messages

Event Name Name of the event

Event Type

Category

Severity ID

Severity Name

User Name

Target User

Name

Threat Type

Source IP

Destination IP

Analyzer Name

Analyzer

Version

Data Version

Action

Status

Count

Type of event

The category of the event

The severity ID

The name of the severity code associated with the event

Name of the user who is making the inquiry

User for whom the inquiry is being made

The type of threat associated with the event

IP address from which the attack originated

IP address that was targeted

Name of the analyzer

The version of the analyzer

The version of the data associated with the event

An action associated with the entry type

Status of the connection

Number of attacks.

For information on saving the generated report, see

Saving a Generated Report on page 119

.

User Guide

Threat Management Reports |

159

Scan Activity Reports

To search for and generate a report on all scan delayed or scan aborted data, use the Scan Activity Real-Time Report.

Menu path: home: Reports > Threat Management > Scan Activity

For this report, you can select to view various options in the generated report for your Appliance. Optional filter operators can be sorted in Ascending or

Descending order. Choose sort order using the drop-down menu. The default is to display only Source Device, Event Name, Category , User Name, Target User

Name, Action, Status, and Count:

Table 51 Scan Activity Report Optional Filter Operators

Option

Source Device

Description

Source device that sent these log messages

Event Name

Event Type

Category

Event Response

Name of the event

Type of event

The category of the event

Severity ID

Severity Name

User Name

Target User

Name

Target Domain

The severity ID

The name of the severity code associated with the event

Name of the user who is making the inquiry

User for whom the inquiry is being made

Target Group

Threat Name

Threat Type

Source IP

Domain of the accessed Appliance

Group for whom the inquiry is being made

The name of the threat

The type of threat associated with the event

IP address from which the attack originated

Destination IP IP address that was targeted

Destination Port Port that was targeted

User Guide

160

| Chapter 6 Generating Real-Time Reports

Table 51 Scan Activity Report Optional Filter Operators (Cont’d)

Option

Analyzer Name

Description

Name of the analyzer

The version of the analyzer Analyzer

Version

Action

Status

Count

An action associated with the entry type

Status of the connection

Number of attacks.

For information on saving the generated report, see

Saving a Generated Report on page 119

.

Security Summary Reports

To search for and generate a report on all summarized user and computer activity alongside other product’s security interactions, use the Security Summary

Real-Time Report.

Menu path: home: Reports > Threat Management > Security Summary

For this report, you can select to view various options in the generated report for your Appliance. Optional filter operators can be sorted in Ascending or

Descending order. Choose sort order using the drop-down menu. The default is to display only Source Device, Source IP, Destination IP, User, and Count:

Table 52 Security Summary Report Optional Filter Operators

Option

Source Device

Description

Source device that sent these log messages

Source IP

Destination IP

IP address from which the attack originated

IP address that was targeted

Source Port Port from which the attack originated

Destination Port Port that was targeted

User

Source Host

User who is making the inquiry

Host from which the attack originated

User Guide

Threat Management Reports |

161

Table 52 Security Summary Report Optional Filter Operators (Cont’d)

Option Description

Destination Host Host that was targeted

Type

Event

Action

Status

Count

Type of connection

Type of event

An action associated with the entry type

Status of the connection

Number of attacks.

For information on saving the generated report, see Saving a Generated Report on page 119

.

DB IPS Activity Reports

To search for and generate a report on all data (i.e. username, client/server IP addresses etc.) for various database intrusion prevention events, use the DB IPS

Activity Real-Time Report.

Menu path: home: Reports > Threat Management > DB IPS Activity

For this report, you can select to view various options in the generated report for your Appliance. Optional filter operators can be sorted in Ascending or

Descending order. Choose sort order using the drop-down menu. The default is to display only Source Device, Client IP, Database User, Database IP, SQL

Command, and Count:

Table 53 DB IPS Activity Report Optional Filter Operators

Option

Source Device

Description

Source device that sent these log messages

Session ID

Client IP

ID of the session

IP address of the client

Client Hostname Hostname of the client

End User IP IP address of the end user

Database User Name of the database user

User Guide

162

| Chapter 6 Generating Real-Time Reports

Table 53 DB IPS Activity Report Optional Filter Operators (Cont’d)

Option

Database IP

Description

IP address of the database

Hostname of the database Database

Hostname

Database Name

Schema

Service Name

Database Type

Database Port

SQL Command

Object name

Source Program

Count

Name of the database on which the action ocurred

The name of the service

The type of database

The database port

The name of the object

Number of attacks.

For information on saving the generated report, see

Saving a Generated Report on page 119

.

HIPS Activity Reports

To search for and generate a report on all alerts from IPS/IDS signatures, DDOS attacks and port scan occurrences, use the HIPS Activity Real-Time Report.

Menu path: home: Reports > Threat Management > HIPS Activity

For this report, you can select to view various options in the generated report for your Appliance. Optional filter operators can be sorted in Ascending or

Descending order. Choose sort order using the drop-down menu. The default is to display only Source Device, Event Name, Target User, Threat Type, Source IP, and

Count:

Table 54 HIPS Activity Report Optional Filter Operators

Option

Source Device

Description

Source device that sent these log messages

User Guide

Threat Management Reports |

163

Table 54 HIPS Activity Report Optional Filter Operators (Cont’d)

Option

Event ID

Description

the ID of the event

Event Name Name of the event

Event Type

Event Response

Severity Name

The type of event

Target User

Threat Type

Source IP

Host IP

Name of the severity

User for whom the inquiry was made

The type of threat

IP address from which the attack originated

Host from which the attack originated

Destination IP IP address that was targeted

Destination Host Host that was targeted

Analyzer Name

Analyzer

Version

Object Name

Name of the analyzer

The version of the analyzer

Name of the object affected

Destination Port Port that was targeted

Target Process

Name

Name of the target process

Count Number of attacks.

For information on saving the generated report, see Saving a Generated Report on page 119

.

User Guide

164

| Chapter 6 Generating Real-Time Reports

Mail Activity Reports

To search for and generate reports on information about mail-related activities on mail server log sources, use Mail Activity reports.

The Report Information tab that appears when you click on home: Reports > Mail

Activity

lists which reports are available for each log source.

To access Mail Activity reports

Choose home: Reports > Mail Activity > report-name from the navigation menu, where report-name is any one of the following reports:

Table 55 Mail Activity Reports

Report

Exchange 2000/03

SMTP

Description

Use the Exchange 2000/03 SMTP screen to search for and generate a report on all

Exchange 2000/03 SMTP events recorded by your mail servers.

Exchange 2000/03

Activity

Exchange 2000/03

Delay

Exchange 2000/03

Size

Server Activity

Exchange 2007/10

Activity

Use the Exchange 2000/03 Activity screen to search for and generate a report on all mail server activity for your Microsoft Exchange servers.

Use the Exchange 2000/03 Delay screen to search for and generate a report on all delays in mail activity for your Microsoft Exchange servers.

Use the Exchange 2000/03 Size screen to search for and generate a report on mail size for all your Microsoft Exchange server mail activity.

Use the Server Activity screen to search for and generate a report on server activity,

Use the Exchange 2007/10 Activity screen to search for and generate a report on all mail server activity for your Microsoft Exchange servers.

Page

page 165

page 166

page 167

page 168

page 169 page 169

User Guide

Mail Activity Reports |

165

Table 55 Mail Activity Reports (Cont’d)

Report

Exchange 2007/10

Mail Size

Description

Use the Exchange 2007/10 Mail Size screen to search for and generate a report on mail size for all your Microsoft Exchange server mail activity.

Page

page 170

Preparing a Real-Time Report on page 116

includes the common options that you specify for all Real-Time Reports.

Optional filter operators are different for each Mail Activity report, and explained in their respective sections.

For information on saving the generated report, see Saving a Generated Report on page 119

.

Exchange 2000/03 SMTP Reports

To search for and generate a report on all mail server activity for selected

Microsoft Exchange servers during a specified time interval, use the Exchange

2000/03 Activity Real-Time Report.

Menu path: home: Reports > Mail Activity > Exchange 2000/03 SMTP

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. By default, all options are shown except the Source User, Source Host, Domain Name, and Time Taken (ms):.

Table 56 Exchange 2000/03 SMTP Report Optional Filter Operators

Option

Source Device

Description

Description of the device that sent these log messages

Source User User of the source device

Source IP

Source Host

Domain Name

Destination IP

Destination Port

IP address of the source device

Host name of the source device

Domain name of the source device

IP address of the destination device

Port of the destination device

User Guide

166

| Chapter 6 Generating Real-Time Reports

Table 56 Exchange 2000/03 SMTP Report Optional Filter Operators (Cont’d)

Option

Method

Description

Request method to obtain an object; for example, GET

URL Query

Status

Size

Time Taken (ms)

Count

URL requested

SMTP result codes

Number of bytes transferred

Time to complete the event

Number of cache views

For information on saving the generated report, see

Saving a Generated Report on page 119

.

Exchange 2000/03 Activity Reports

To search for and generate a report on all delays in mail activity for selected

Microsoft Exchange servers during a specified time interval, use the Exchange

2000/03 Delay Real-Time Report.

Menu path: home: Reports > Mail Activity > Exchange 2000/03 Activity

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. By default, the Source Device,

Recipient Domain, Status, and Count are shown:

Table 57 Exchange 2000/03 Activity Report Optional Filter Operators

Option

Source Device

Description

Name of the Microsoft Exchange device

Message ID Numeric identifier of the message

Sender

Sender Domain

Recipient

Recipient Domain

Email address of the sender

Domain name of the sender’s email

Email address of the recipient

Domain name of the recipient’s email

User Guide

Mail Activity Reports |

167

Table 57 Exchange 2000/03 Activity Report Optional Filter Operators (Cont’d)

Option

Status

Description

Exchange status

Count Number of emails

For information on saving the generated report, see Saving a Generated Report on page 119

.

Exchange 2000/03 Delay Reports

To search for and generate a report on all mail server activity for selected

Microsoft Exchange servers during a specified time interval, use the Exchange

2000/03 Activity Real-Time Report.

Menu path: home: Reports > Mail Activity > Exchange 2000/03 Delay

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. By default, the Source Device,

Recipient Domain, Average Delay, Max Delay, and Count are shown:

Table 58 Exchange 2000/03 Delay Report Optional Filter Operators

Option

Source Device

Description

Name of the Microsoft Exchange device

Message ID Numeric identifier of the message

Sender

Sender Domain

Recipient

Recipient Domain

Average Delay

Max Delay

Count

Email address of the sender

Domain name of the sender’s email

Email address of the recipient

Domain name of the recipient’s email

Average delay of each message

Maximum delay of each message

Number of emails

User Guide

168

| Chapter 6 Generating Real-Time Reports

For information on saving the generated report, see

Saving a Generated Report on page 119

.

Exchange 2000/03 Size Reports

To search for and generate a report on mail size for all server mail activity for selected Microsoft Exchange servers during a specified time interval, use the

Exchange 2000/03 Size Real-Time Report.

Menu path: home: Reports > Mail Activity > Exchange 2000/03 Size

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. By default, the Source Device,

Sender, Total Size (Bytes), Max Size (Bytes), Count, and Actual Count are shown:

Table 59 Exchange 2000/03 Size Report Optional Filter Operators

Option

Source Device

Description

Name of the Microsoft Exchange device

Message ID Numeric identifier of the message

Sender

Sender Domain

Recipient

Recipient Domain

Total Size (Bytes)

Max Size (Bytes)

Count

Actual Count

Email address of the sender

Domain name of the sender’s email

Email address of the recipient

Domain name of the recipient’s email

Total number of bytes transferred

Maximum number of bytes transferred

Number of emails

For information on saving the generated report, see

Saving a Generated Report on page 119

.

User Guide

Mail Activity Reports |

169

Server Activity Reports

To search for and generate a report on server activity, use the Server Activity

Real-Time Report.

Menu path: home: Reports > Mail Activity > Server Activity

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. By default, the Source Device,

Source IP, Source Port Destination IP, Destination Port , and Messages are shown:

Table 60 Server Activity Report Optional Filter Operators

Option

Source Device

Description

Name of the Microsoft Exchange device

Source IP IP address of the source host device

Source Port

Destination IP

Destination Port

Messages

Port of the source host device

IP address that was targeted

Port that was targeted

Number of log messages received representing this connection

For information on saving the generated report, see Saving a Generated Report on page 119

.

Exchange 2007/10 Activity Reports

To search for and generate a report on all delays in mail activity for selected

Microsoft Exchange servers during a specified time interval, use the Exchange

2007/10 Real-Time Report.

Menu path: home: Reports > Mail Activity > Exchange 2007/10 Activity

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

User Guide

170

| Chapter 6 Generating Real-Time Reports

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. By default, the Source Device,

Sender, Recipent, and Count are shown:

Table 61 Exchange 2007/10 Activity Report Optional Filter Operators

Option

Source Device

Description

Name of the Microsoft Exchange device

Sender

Recipient

Source

Count

Email address of the sender

Email address of the recipient

Number of emails

For information on saving the generated report, see

Saving a Generated Report on page 119

.

Exchange 2007/10 Mail Size Reports

To search for and generate a report on mail size for all server mail activity for selected Microsoft Exchange servers during a specified time interval, use the

Exchange 2007/10 Mail Size Real-Time Report.

Menu path: home: Reports > Mail Activity > Exchange 2007/10 Mail Size

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. By default, the Source Device,

Sender, Total Size (Bytes), Max Size (Bytes), and Count are shown:

Table 62 Exchange 2007/10 Mail Size Report Optional Filter Operators

Option

Source Device

Description

Name of the Microsoft Exchange device

Sender

Total Size (Bytes)

Max Size (Bytes)

Count

Email address of the sender

Total number of bytes transferred

Maximum number of bytes transferred

Number of emails

User Guide

Mail Activity Reports |

171

For information on saving the generated report, see Saving a Generated Report on page 119

User Guide

172

| Chapter 6 Generating Real-Time Reports

Network Activity Reports

To search for and generate reports on information about connections on log sources, use Network Activity reports.

To access Network Activity reports

Choose home: Reports > Network Activity > report-name from the navigation menu, where report-name is any one of the following:

Table 63 Network Activity Reports

Report

Accepted Connections

Description

Use the Accepted Connections screen to search for and generate a report on IP connections that were accepted by a log source.

Page

page 174

Active FW Connections Use the Active FW Connections screen to search for and generate a report on current active sessions from the selected firewall log sources.

page 175

Active VPN

Connections

Use the Active VPN Connections screen to search for and generate a report on current active sessions through Check Point

Interface, Cisco VPN 3000, Nortel

Connectivity, and RADIUS Acct Client log sources.

page 176

Application

Distribution

Denied Connections

FTP Connections

Use the Application Distribution screen to search for and generate a report on information about messages, grouped by application ports, that were accepted by a device.

Use the Denied Connections screen to search for and generate a report on connections denied by the selected firewall log sources.

Use the FTP Connections screen to search for and generate a report on syslog messages related to FTP traffic through the selected firewall log sources.

page 177

page 178

page 180

User Guide

Network Activity Reports |

173

Table 63 Network Activity Reports (Cont’d)

Report

VPN Access

Description

Use the VPN Access screen to search for and generate a report on the number of

VPN connections that the log source either completed or denied.

VPN Sessions

VPN Top Lists

Use the VPN Sessions screen to search for and generate a report on data about separate invocations of sessions on log sources during a specified time interval.

Use the VPN Top Lists screen to search for and generate a report on the top users and

IP addresses and statistics.

Page

page 181

page 182

page 183

Web Cache Activity

Web Surfing Activity

Use the Web Cache Activity screen to search for and generate a report on locally stored web information served during a specified time interval.

Use the Web Surfing Activity screen to search for and generate a report on web information served during a specified time interval.

page 184

page 185

DHCP Activity

DHCP

Granted/Renewed

Activity

Use the DHCP Activity screen to search for and generate a report on events related to all DHCP activity.

page 186

Use the DHCP Granted/Renewed Activity screen to search for and generate a report on events related to DHCP requests that were granted or renewed.

page 187

DHCP Denied Activity Use the DHCP Denied Activity screen to search for and generate a report on events related to DHCP requests that were denied.

page 188

NAT64 Activity Use the NAT64 Activity screen to search for and generate a report on each binding when sessions are built and distroyed.

page 189

Preparing a Real-Time Report on page 116

includes the common options that you specify for all Real-Time Reports.

Optional filter operators are different for each Network Activity report, and explained in their respective sections.

User Guide

174

| Chapter 6 Generating Real-Time Reports

For information on saving the generated report, see

Saving a Generated Report on page 119

.

Accepted Connections Reports

To search for and generate a report on IP connections that were accepted by selected firewall log sources during a specified time interval, use the Accepted

Connections Real-Time Report.

1. Accepted Connections data is summarized in ten minutes and one hour. If the report time interval is less than two hours, the time range is cut to ten minutes, and if it is more than two hours, it is cut to one hour.

2. To view the detail report, you must enable the Administration > System

Settings > General tab > Enable Accept Detail

option. This may require additional time and storage in downloading this report.

Menu path: home: Reports > Network Activity > Accepted Connections

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:

Column headings differ for PIX and non-PIX devices.

Table 64 Accepted Connections Report Optional Filter Operators

Option

Source Device

Description

Description of the device that sent these log messages

Translated IP IP address as translated by the device

*

Source IP

Destination IP

Port

Protocol

Description

IP address of the source host (non-PIX devices only)

IP address of the destination host device (non-PIX devices only)

Port number (service) of the destination host

Protocol of the destination host

Description of the port (service)

User Guide

Network Activity Reports |

175

Table 64 Accepted Connections Report Optional Filter Operators (Cont’d)

Option

Messages

Description

Number of log messages received representing this connection

In Bytes

Out Bytes

Action

Number of incoming bytes (Check Point Interface, Cisco

PIX, and Juniper Firewall only)

Number of outgoing bytes (Check Point Interface, Cisco PIX, and Juniper Firewall only)

Accept or encrypt - Identifies if the connection was accepted or accepted with encryption (Check Point Interface only)

* Under certain conditions Network Address Translation (NAT) addresses can show up as 0.0.0.0 in real time reports such as Accepted Connections Reports.

This is not a bug since System Alert messages of a certain type (e.g.,

FWSM-4-106100 in Cisco Catalyst 6500 Series Switches) do not have a translated

(mapped) address present in the logs. Therefore, zero is correct because there is no relevant IP address in the parsed logs for FWSM-4-106100.

For information on saving the generated report, see Saving a Generated Report on page 119

.

Active FW Connections Reports

To search for and generate a report on current active sessions through selected

Cisco PIX Firewall log sources, use the Active FW Connections Real-Time Report.

The Active Firewall Connection report is generated by monitoring the start and end messages of a particular connection in progress. Connections that have generated a start message but have not yet generated an end message are assumed to be active for a period of time before being timed-out.

Menu path: home: Reports > Network Activity > Active FW Connections

In Active FC Connections reports, you must specify the log source:

Table 65 Active FW Connections Screen Elements

Element

IP Address

Description

IP address for the log source

User Guide

176

| Chapter 6 Generating Real-Time Reports

Table 65 Active FW Connections Screen Elements (Cont’d)

Element

Port

Description

Port number for the log source

Protocol Protocol type (from the drop-down menu)

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:.

Table 66 Active FW Connections Report Optional Filter Operators

Option

Create Time

Description

Time the session began

Connection

Protocol

Translated IP/Port

ID in the log message assigned to the unique connection

IP Protocol (TCP, UDP, etc.) of the connection

Public (NAT’ed) IP address of the source host (IP address only)

Source IP/Port IP address of the internal host device (IP address only)

Destination IP/Port IP address of the external host device (IP address only)

Direction Inbound or Outbound connection attempt

For information on saving the generated report, see

Saving a Generated Report on page 119

.

The generated list displays in real-time. As a result, the last page of connections might be closed/no longer active by the time you scroll to the last page. This results in no data displaying in the last page of the report

Active VPN Connections Reports

To search for and generate a report on current active sessions through selected

VPN and RADIUS log sources, use the Active VPN Connections Real-Time

Report.

Menu path: home: Reports > Network Activity > Active VPN Connections

User Guide

Network Activity Reports |

177

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:.

Table 67 Active VPN Connections Report Optional Filter Operators

Option

Source Device

Description

Description of the device that sent these log messages

Connections Number of log messages received representing connections

For information on saving the generated report, see Saving a Generated Report on page 119

The generated list displays in real-time. As a result, the last page of connections might be closed/no longer active by the time you scroll to the last page. This results in no data displaying in the last page of the report.

Application Distribution Reports

To search for and generate a report that summarizes accepted traffic by application ports through selected firewall log sources during a specified time interval, use the Application Distribution Real-Time Report.

1. The Application Distribution data is summarized in ten minutes and one hour. If the report time interval is less than two hours, the time range is cut to ten minutes, and if it is more than two hours, it is cut to one hour.

2. To view the detail report, you must enable the Administration > System Settings >

General tab > Enable Accept Detail option. This may require additional time and storage in downloading this report.

Menu path: home: Reports > Network Activity > Application Distribution

In addition to setting the common report options in

Preparing

Preparing a

Real-Time Report on page 116 , you can select optional filter operators in the

generated report.

User Guide

178

| Chapter 6 Generating Real-Time Reports

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:

Table 68 Application Distribution Report Optional Filter Operators

Option

Source Device

Description

Description of the device that sent these log messages

Port

Protocol

Description

Messages

Description of the port (service)

Number of log messages received representing this connection

Src -> Dest Bytes Number of outbound bytes sent (not for Nortel VPN)

Bar Graph

Port number (service) of the connection

IP protocol (TCP, UDP, etc.) of the connection

Percentage

Dst -> Src Bytes

Percentage of total outbound bytes represented as a bar graph

Number of outbound bytes represented as a percentage

Number of inbound bytes received (not for Nortel VPN)

For information on saving the generated report, see

Saving a Generated Report on page 119

.

Denied Connections Reports

To search for and generate a report on denied connections by selected firewall log sources during a specified time interval, use the Denied Connections Real-Time

Report.

Menu path: home: Reports > Network Activity > Denied Connections

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select:

• The type of information the Appliance aggregates for the generated report

User Guide

Network Activity Reports |

179

• Various optional filter operators in the generated report for your Appliance

Table 69 Denied Connections Report Summary Methods

Method

Src IP/Any-->

Any/Port

Description

Aggregates records from a specific Source IP and any port going to any destination IP and a specific destination port. The system derives the Source IP and destination port from your Device

Type and Source Device selections.

Src IP/Any -->

Dest IP/Port

Aggregates records from a specific Source IP and any port going to a specific Destination IP and specific Destination port. The system derives the Source IP and Destination IP from your Device Type and Source Device selections.

Denied by Port Aggregates records from the port numbers only

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following optional filter operators:

Table 70 Denied Connections Report Optional Filter Operators

Option

Source Device

Description

Description of the device that sent these log messages

Attempts

*

Src IP

Number of times log messages denied the connection

IP address of the source host device

Src Port

Dest IP

Dest Port

Protocol

Description

Access Group

Rules

Port number of the source host device

IP address of the destination host device

Port number of the destination host device

IP protocol (TCP, UDP, etc.) of the connection

Description of the destination port (service)

(Cisco PIX/ASA only) Lists any group of which you are a member

(Check Point Interface only) Condition set on the firewall to complete the security policy; identifies what is allowed and not allowed through a specific interface.

User Guide

180

| Chapter 6 Generating Real-Time Reports

Table 70 Denied Connections Report Optional Filter Operators (Cont’d)

Option

Policy ID

Description

Unique policy identifier of the device on the firewall

(Juniper Firewall only)

Direction (Check Point Interface, Cisco PIX/ASA/FWSM, Juniper

Firewall, and Nortel Connectivity only) Inbound or

Outbound connection attempt. Direction is stored as a number internally, for INBOUND use 1, for OUTBOUND use 2, and for INTERNAL use 3.

*

Note: “Attempts” for Cisco router by “src IP/any” will be larger than the number shown in the Denied Connections Report because IP packets are measured in this instance, instead of the actual number of messages sent.

For more information on saving the generated report, see Saving a Generated

Report on page 119

.

FTP Connections Reports

To search for and generate a report on all syslog messages related to FTP traffic through the selected firewall device during a specified time interval, use the FTP

Connections Real-Time Report.

Menu path: home: Reports > Network Activity > FTP Connections

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:

Table 71 FTP Connections Report Optional Filter Operators

Option

Source Device

Description

Description of the device that sent these log messages

Source Device IP IP address of the source device that sent these log messages

From

To

IP address of the source device

IP address of the destination device

User Guide

Network Activity Reports |

181

Table 71 FTP Connections Report Optional Filter Operators

Option

Count

Description

Number of times syslog messages related to FTP traffic were generated

For information on saving the generated report, see Saving a Generated Report on page 119

.

VPN Access Reports

To search for and generate reports on the VPN connections that the selected log sources either completed or denied during a specified time interval, use the VPN

Access Real-Time Report.

Menu path: home: Reports > Network Activity > VPN Access

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:

Table 72 VPN Access Report Optional Filter Operators

Option

Source Device

Description

Description of the device that sent these log messages

Public IP Public IP address originating the VPN connection

Group

User

Target User

Connections

Denies

Avg Duration

Byte Count

Avg Bandwidth

(Bytes/Sec)

VPN group of which the source device is a part

VPN user ID

VPN user ID of the originating VPN connection

Number of log messages received representing connections

Number of denied connection messages received

Average duration of each connection

Number of bytes transferred during the session

Average bandwidth used for each connection

User Guide

182

| Chapter 6 Generating Real-Time Reports

For information on saving the generated report, see

Saving a Generated Report on page 119

.

Appliances cannot receive disconnected messages. A VPN session is recorded permanently in the database table authentication after it is disconnected, prior to that the session is considered active. A Check Point VPN session is considered disconnected when a new connection attempt is made by the same user from the same IP address.

VPN Sessions Reports

To search for and generate a report on data about VPN sessions (including initiation and conclusion times) on selected log sources during a specified time interval, use the VPN Sessions Real-Time Report.

Menu path: home: Reports > Network Activity > VPN Sessions

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display only the Source

Device, User, Avg Duration, Avg Bytes, and Count.

Table 73 VPN Sessions Report Optional Filter Operators

Option

Source Device

Description

Description of the device that sent these log messages

User User ID

Target User

Source IP

Target IP

Avg Duration

Avg Bytes

Count

User ID on the device with which the source device attempted to connect

IP address of the device that sent these log messages

IP address of the device with which the source device attempted to connect

Average duration of each connection

Average number of bytes

Number of VPN sessions

For information on saving the generated report, see

Saving a Generated Report on page 119

.

User Guide

Network Activity Reports |

183

Appliances cannot receive disconnected messages. A VPN session is recorded permanently in the database table authentication after it is disconnected, prior to that the session is considered active. A Check Point VPN session is considered disconnected when a new connection attempt is made by the same user from the same IP address.

VPN Top Lists Reports

To search for and generate a report on the top users, IP addresses, and other statistics, use the VPN Top Lists Real-Time Report.

Menu path: home: Reports > Network Activity > VPN Top Lists

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

Choose the Method from the drop-down menu. The options are: Top Disconnect

Reasons, By IP Address, and By User. Depending on the method selection, the default column options will change. Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu.

The default is to display all the following options for Top Disconnect Reasons:

Table 74 VPN Top Lists Report Types

Report Type

Source Device

Description

The description of the source device

Connections Number of connections to the source device

Disconnect Reason Reason for disconnection

If you run a report for the Top Disconnect Reasons, the “unknown” that displays in the Disconnect Reasons column, represents the disconnect reasons reported by

RADIUS. If you have not properly plugged in your RADIUS server, all reasons display as “unknown”. Click a Connections number or Source Device to drill-down and view the Disconnect Details column. This column displays the

VPN syslog messages associated with the disconnect reason.

For information on saving the generated report, see

Saving a Generated Report on page 119

.

User Guide

184

| Chapter 6 Generating Real-Time Reports

Web Cache Activity Reports

To search for and generate a report on all URLs accessed through proxy or cache servers on specified log sources during a specified time interval, use the Web

Cache Activity Real-Time Report.

Menu path: home: Reports > Network Activity > Web Cache Activity

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source

Device, Source IP, Destination IP, Status, Size, Filter Category, Filter Result, and

Count:

Table 75 Web Cache Activity Report Optional Filter Operators

Option

Source Device

Description

Description of the device that sent these log messages

Source User User of the source device

Source IP

Source Host

Domain Name

Destination IP

IP address of the source device

Host name of the source device

Domain name of the source device

IP address of the destination device

Destination Port Port of the destination device

Peer IP IP address of the peer device

Peer Host

Peer Status

Host name of the peer device

A code that explains how the request was handled; for example, by forwarding it to a peer or returning the request to the source

Method

URL

Cache Code

Status

Request method to obtain an object; for example, GET

URL requested

Information on the result of the transaction: the kind of request, how it was satisfied, or in what way it failed

HTTP result codes

User Guide

Network Activity Reports |

185

Table 75 Web Cache Activity Report Optional Filter Operators (Cont’d)

Option

Type

Description

Content type of the object as seen in the HTTP reply header

Size

Filter Category

Filter Result

Count

Number of bytes transferred

The category of the filter

The results after using the filter

Number of cache views

When you drill down on Web Cache Activity report’s results, there is no default sort-by selection. The drill-down results are generally in order by time. If you specify a sort-by selection for this report's drill-down, performance in generating the drill-down results is slower.

For information on saving the generated report, see Saving a Generated Report on page 119

.

Web Surfing Activity Report

To search for and generate a report on all URLs accessed via firewalls or web servers on selected log sources during a specified time interval, use the Web

Surfing Activity Real-Time Report.

Menu path: home: Reports > Network Activity > Web Surfing Activity

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source

Device IP, Source IP, Destination IP, Status, Size, and Count:

Table 76 Web Surfing Activity Report Optional Filter Operators

Option

Source Device IP

Description

IP address of the device that sent these log messages

Source User

Source IP

Source Host

User ID of the source device

IP address of the device originating the connection

Host name of the source device

User Guide

186

| Chapter 6 Generating Real-Time Reports

Table 76 Web Surfing Activity Report Optional Filter Operators (Cont’d)

Option

Domain Name

Description

Domain name of the source device

Destination IP

Destination Port

Method

URL

Status

Type

Size

User Agent

Referred By

Count

IP address of the destination device

Port of the destination device

Request method to obtain an object; for example, GET

URL requested

HTTP result codes

Content type of the object as seen in the HTTP reply header

Number of bytes transferred

Number of syslog messages received for this connection and status code

When you drill down on Web Surfing Activity report’s results, there is no default sort-by selection. The drill-down results are generally in order by time. If you specify a sort-by selection for this report's drill-down, performance in generating the drill-down results is slower.

For information on saving the generated report, see

Saving a Generated Report on page 119

DHCP Activity Report

To search for and generate a report on events related to all DHCP activity, use the

DHCP Activity Real-Time Report.

Menu path: home: Reports > Network Activity > DHCP Activity

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

User Guide

Network Activity Reports |

187

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source

Device, MAC Address, Client Name, Lease Address, Action, Status, and Count:

Table 77 DHCP Activity Report Optional Filter Operators

Option

Source Device

Description

Device that sent these log messages

MAC Address

Client Name

Lease Address

Action

Status

Count

MAC IP address

Name of the client

Action taken

Status of the activity

Number of connections

When you drill down on Web Surfing Activity report’s results, there is no default sort-by selection. The drill-down results are generally in order by time. If you specify a sort-by selection for this report's drill-down, performance in generating the drill-down results is slower.

For information on saving the generated report, see

Saving a Generated Report on page 119

DHCP Granted/Renewed Activity Report

To search for and generate a report on events related to DHCP requests that were granted or renewed, use the DHCP Granted/Renewed Activity Real-Time

Report.

Menu path: home: Reports > Network Activity > DHCP Granted/Renewed

Activity

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

User Guide

188

| Chapter 6 Generating Real-Time Reports

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source

Device, MAC Address, Client Name, Lease Address, Action, Status, and Count:

Table 78 DHCP Granted/Renewed Activity Report Optional Filter Operators

Option

Source Device

Description

Device that sent these log messages

MAC Address

Client Name

Lease Address

Action

Status

Count

MAC IP address

Name of the client

Action taken

Status of the activity

Number of connections

When you drill down on Web Surfing Activity report’s results, there is no default sort-by selection. The drill-down results are generally in order by time. If you specify a sort-by selection for this report's drill-down, performance in generating the drill-down results is slower.

For information on saving the generated report, see

Saving a Generated Report on page 119

.

DHCP Denied Activity Report

To search for and generate a report on events related to DHCP requests that were denied, use the DHCP Denied Activity Real-Time Report.

Menu path: home: Reports > Network Activity > DHCP Denied Activity

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source

Device, MAC Address, Client Name, Lease Address, Action, Status, and Count:

Table 79 DHCP Denied Activity Report Optional Filter Operators

Option

Source Device

Description

Device that sent these log messages

User Guide

Network Activity Reports |

189

Table 79 DHCP Denied Activity Report Optional Filter Operators (Cont’d)

Option

MAC Address

Description

MAC IP address

Name of the client Client Name

Lease Address

Action

Status

Count

Action taken

Status of the activity

Number of connections

When you drill down on Web Surfing Activity report’s results, there is no default sort-by selection. The drill-down results are generally in order by time. If you specify a sort-by selection for this report's drill-down, performance in generating the drill-down results is slower.

For information on saving the generated report, see

Saving a Generated Report on page 119

.

NAT64 Activity Report

To search for and generate a report on each binding when sessions are built and distroyed, use the NAT64 Activity Real-Time Report.

Menu path: home: Reports > Network Activity > NAT64 Activity

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source

Device, Time, Translated IPv6, Original IPv4, Original IPv6 Port, Original IPv4

Port, and Count:

Table 80 DHCP Activity Report Optional Filter Operators

Option

Source Device

Description

Device that sent these log messages

Time

Translated IPv6

Original IPv4

Time of connection

The translated IPv6 address

The original IPv4 address

User Guide

190

| Chapter 6 Generating Real-Time Reports

Table 80 DHCP Activity Report Optional Filter Operators (Cont’d)

Option

Original IPv6 port

Description

The port of the original IPv6

Original IPv4 port

Count

The port for the original IPv4

Number of connections

When you drill down on Web Surfing Activity report’s results, there is no default sort-by selection. The drill-down results are generally in order by time. If you specify a sort-by selection for this report's drill-down, performance in generating the drill-down results is slower.

For information on saving the generated report, see

Saving a Generated Report on page 119

User Guide

Operational Reports |

191

Operational Reports

To search for and generate reports on information about syslog messages on log sources, use Event Logs reports.

The Report Information tab that appears when you click on home: Reports >

Operational

lists which reports are available for each log source.

To access Event Logs reports

Choose home: Reports > Operational report-name from the navigation menu, where report-name is any one of following reports:

Table 81 Operational Reports

Report

All Unparsed

Events

Description

Use the All Unparsed Events screen to search for and generate a report on unparsed syslog messages for selected devices.

Firewall

Statistics

Use the Firewall Statistics screen to search for and generate a report summarizing firewall syslog messages classified as security messages.

Page

page 192 page 192

Total Message

Count

Security Events Use the Security Events screen to search for and generate a report on firewall syslog messages classified as security messages.

System Events Use the System Events screen to search for and generate a report on firewall or Nortel VPN device syslog messages classified as system messages.

VPN Events

Use the Total Message Count screen to search for and generate a report summarizing firewall or

Nortel VPN device syslog messages classified as system messages.

Use the VPN Events screen to search for and generate a report on the number of Cisco VPN syslog messages that appear with the type called

“System Type”.

page 193

page 194

page 195

page 196

Preparing a Real-Time Report on page 116

includes the common options that you specify for all Real-Time Reports.

Optional filter operators are different for each Event Logs report, and explained in their respective sections.

User Guide

192

| Chapter 6 Generating Real-Time Reports

For information on saving the generated report, see

Saving a Generated Report on page 119

.

All Unparsed Events Reports

To search for and generate a report on syslog messages that are not parsed into the

Security, System, or VPN Events reports, or into any other report table (for example, Authentication) for selected log sources during a specified time interval, use the All Unparsed Events Real-Time Report.

Menu path: home: Reports > Operational > All Unparsed Events

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

Optional filter operators are not visible if you select the Boolean Search in the

Search Filter criteria.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are all selected:

Table 82 All Unparsed Events Report Optional Filter Operators

Option

Source Device

Description

Description of the device that sent the log messages

Source Device IP IP address of the source device that sent the log messages

Facility

Severity

Count

Syslog facility associated with the message

Severity code associated with the message

Number of times syslog messages were generated

For information on saving the generated report, see

Saving a Generated Report on page 119

.

Firewall Statistics Reports

To search for and generate a summary report of event types and messages per firewall, for selected log sources during a specified time interval, use the All

Unparsed Events Real-Time Report.

Menu path: home: Reports > Operational > Firewall Statistics

User Guide

Operational Reports |

193

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

Optional filter operators are not visible if you select the Boolean Search in the

Search Filter criteria.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are all selected:

Table 83 Firewall Statistics Report Optional Filter Operators

Option

Source Device

Description

Description of the device that sent the log messages

System Messages

Security Messages

Accepted Messages

Denied Messages

Total Messages

The number of system messages

The number of security messages

The number of accepted messages

The number of denied messages

The total number of messages

For information on saving the generated report, see Saving a Generated Report on page 119

.

Total Message Count Reports

To search for and generate a summary report of log messages for selected log sources at a specified time interval, use the Total Message Count Report.

Menu path: home: Reports > Operational > Total Message Count

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

Optional filter operators are not visible if you select the Boolean Search in the

Search Filter criteria.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are all selected:

Table 84 Total Message Count Report Optional Filter Operators

Option

Time

Description

Time the syslog message was generated

User Guide

194

| Chapter 6 Generating Real-Time Reports

Table 84 Total Message Count Report Optional Filter Operators (Cont’d)

Option

Source Device

Description

Description of the device that sent the log messages

Messages The total number of messages

For information on saving the generated report, see

Saving a Generated Report on page 119

.

Security Events Reports

To search for and generate a report on firewall syslog messages classified as security messages for selected log sources during a specified time interval, use the

Security Events Real-Time Report.

Menu path: home: Reports > Operational > Security Events

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are all selected:

Table 85 Security Events Report Optional Filter Operators

Option

Source Device

Description

Description of the device originating the connection

Source Device IP

Message Code

Message Code

Description

Module

IP address of the source device

Code number of the security message

Description of the security message (Cisco PIX only)

Juniper Netscreen module name, that is, system (Juniper

Firewall only)

User Guide

Operational Reports |

195

Table 85 Security Events Report Optional Filter Operators (Cont’d)

Option

Severity

Description

The severity codes are listed below:

0 Emergency: system is unusable

1 Alert: action must be taken immediately

2 Critical: critical conditions

3 Error: error conditions

4 Warning: warning conditions

5 Notice: normal but significant condition

6 Informational: informational messages

7 Debug: debug-level messages

(Juniper Firewall only)

Count Number of syslog messages classified as security messages generated

For information on saving the generated report, see Saving a Generated Report on page 119

.

System Events Reports

To search for and generate a report on firewall or Nortel VPN device syslog messages classified as system messages for selected log sources during a specified time interval, use the System Events Real-Time Report.

Menu path: home: Reports > Operational > System Events

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. Optional filter operators are not visible if you select Boolean Search in the Search Filter criteria. By default, the following options are all selected:

Table 86 System Events Report Optional Filter Operators

Option

Source Device

Description

Description of the device that sent these log messages

Source Device IP IP address of the source device that sent these log messages

Message Code Code number of the system message

User Guide

196

| Chapter 6 Generating Real-Time Reports

Table 86 System Events Report Optional Filter Operators (Cont’d)

Option

Message Code

Description

Description

Description of the system message (Cisco PIX only)

Module

Severity

Juniper Netscreen module name, that is, system (Juniper

Firewall only)

The severity codes are listed below:

0 Emergency: system is unusable

1 Alert: action must be taken immediately

2 Critical: critical conditions

3 Error: error conditions

4 Warning: warning conditions

5 Notice: normal but significant condition

6 Informational: informational messages

7 Debug: debug-level messages

(Juniper Firewall only)

Count Number of system messages received for the specified code

For information on saving the generated report, see

Saving a Generated Report on page 119

.

VPN Events Reports

To search for and generate a report on Cisco VPN, CheckPoint VPN, Nortel VPN, or RADIUS syslog messages of the System Message type for selected log sources during a specified time interval, use the VPN Events Real-Time Report.

Menu path: home: Reports > Operational > VPN Events

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

By default, the following options are all selected:

Table 87 VPN Events Report Optional Filter Operators

Option

Time

Description

Time the syslog message was generated

Source Device IP address of the device originating the connection

User Guide

Operational Reports |

197

Table 87 VPN Events Report Optional Filter Operators (Cont’d)

Option

Group

Description

VPN group name

User

Public IP

Severity

Code

Area

Detail Message

VPN user ID

Public IP address originating the VPN connection

Severity Code associated with the message

Code number of the system message

Name of the defined VPN area

Text of the syslog message

For information on saving the generated report, see Saving a Generated Report on page 119

.

Appliances cannot receive disconnected messages. A VPN session is recorded permanently in the database table authentication after it is disconnected, prior to that the session is considered active. A Check Point VPN session is considered disconnected when a new connection attempt is made by the same user from the same IP address.

User Guide

198

| Chapter 6 Generating Real-Time Reports

Policy Reports

To search for and generate reports on information about policies that were exercised on a log source, use Policy reports.

The Report Information tab that appears when you click on home: Reports >

Policy Reports

lists which reports are available for each log source.

To access Policy Reports

Choose home: Reports > Policy Reports > report-name from the navigation menu, where report-name is one of:

Table 88 Policy Reports

Report

Check Point

Policies

Reports Provide

The Check Point Policies report lists current

Check Point Firewall policy rules on log sources connected to your Appliance.

Network Policies

Rules/Policies

Use the Network Policies screen to search for and generate a report on the number of times a particular network policy has been exercised by a selected firewall device.

Use the Rules/Policies screen to search for and generate a report on enforcement of a particular rule or policy by a selected firewall device.

ECM Policy Use the ECM Policy screen to search for and generate a report on data leak protection events captured by the log source device.

Page

page 199 page 199

page 200

page 201

Preparing a Real-Time Report on page 116

includes the common options that you specify for all Real-Time Reports. Check Point Policy reports do not include the common options shared by other Real-Time Reports.

Optional filter operators are different for each Policy report, and explained in their respective sections.

For information on saving the generated report, see

Saving a Generated Report on page 119

.

User Guide

Policy Reports |

199

Check Point Policies Reports

To search for and generate a report listing current Check Point Firewall policy rules on log sources connected to your Appliance, use the Check Point Policy

Real-Time Report.

Menu path: home: Reports > Policy Reports > Check Point Policy

Table 89 Check Point Policy Screen Elements

Element Description

LEA Server LEA servers connected to your system.

Package

Rule Index

Rule

Security package that Check Point organizes for policy rules.

For example, you can install one package on a firewall, but you can define several packages at the same time.

Rule numbers (represents Check Point indices) the CPMI process retrieves. You can view Check Point policy rules only if you configured your LEA server to use auto discovery (CPMI).

Note:

Rule 0 is not assigned by Check Point. It is assigned by

LogLogic as a default for parsed messages that do not automatically have a rule number assigned by Check Point.

Description for the rule.

For information on saving the generated report, see Saving a Generated Report on page 119

.

Network Policies Reports

To search for and generate a report on the number of times a particular network policy has been exercised by selected firewall log sources during a specified time interval, use the Network Policies Real-Time Report.

Menu path: home: Reports > Policy Reports > Network Policies

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

User Guide

200

| Chapter 6 Generating Real-Time Reports

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Log

Source IP, Source IP, Destination IP, Destination Port, Signature, and Count:

Table 90 Network Policies Report Optional Filter Operators

Option

Log Source IP

Description

IP address of the device that sent these log messages

Source IP

Source Port

Destination IP

Destination Port

Protocol

Signature

Classification

Priority

Count

IP address of the device that exercised the policy

Port of source device

IP address of the destination device

Port of the destination device

Protocol of the destination device

Identifier of the policy

Classification of the policy

Priority of the policy

Number of times a policy was exercised

For information on saving the generated report, see

Saving a Generated Report on page 119

.

Rules/Policies Reports

To search for and generate a report on information about enforcement of a particular rule or policy by selected firewall devices during a specified time interval, use the Rules/Policies Real-Time Report.

Menu path: home: Reports > Policy Reports > Rules/Policies

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

User Guide

Policy Reports |

201

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display all the following options:

Table 91 Rules/Policies Report Optional Filter Operators

Option

Interface

Description

Name (or IP address) of the network interface that enforced the policy

Rule Rule number that was enforced (Check Point Interface only)

Policy

Type

Messages

Bar Graph

Percentage

Package

Rule Description

Policy number that was enforced

Type of rule/policy that was enforced

Number of messages received representing this policy

Number of messages received expressed as a bar graph

Number of messages received expressed as a percentage

Security policy package (Check Point Interface only)

Displays Rule Details: Source, Destination, Service

Description and Rule Actions: Permit, Deny, etc. (Check

Point Interface only)

For information on saving the generated report, see Saving a Generated Report on page 119

.

ECM Policy Reports

To search for and generate a report on data leak protection events captured by the log source device

use the ECM Policy Real-Time Report.

Menu path: home: Reports > Policy Reports > ECM Policy

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

User Guide

202

| Chapter 6 Generating Real-Time Reports

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source

Device, Source Device IP, Performer Name, Parent Name, Event, Event Name, and Count:

Table 92 ECM Policy Report Optional Filter Operators

Option

Source Device

Description

Device that sent these log messages

Source Device IP

Performer Name

Parent Name

Object Name

Event

Event Name

Source Name

Count

IP address of the device that exercised the policy

Name of the performer

Name of the parent

Name of the object that was acted on

The type of event

Name of the event

Name of the source host device

Number of attacks

For information on saving the generated report, see

Saving a Generated Report on page 119

.

User Guide

Enterprise Content Management |

203

Enterprise Content Management

To search for and generate reports on information about enterprise content management, use Enterprise Content Management reports.

The Report Information tab that appears when you click on home: Reports >

Enterprise Content Management Reports

lists which reports are available for each log source.

To access Enterprise Content Management Reports

Choose home: Reports > Enterprise Content Management Reports > report-name from the navigation menu, where report-name is one of:

Table 93 Policy Reports

Report

ECM Activity

Reports Provide

Use the ECM Activity screen to generate a report for ECM activity.

Content

Management

Page

page 204

page 205

Security Settings

Expiration and

Disposition

Use the Content Management screen to generate a report containing logs of events which correspond to some action done on the contents of the site.

Use the Security Settings screen to generate a report containing logs of all the events related to creation, deletion, modification of user/group/roles.

Use the Expiration and Dispostion screen to generate a report containing logs of all events related to object expiration and dispostion approvals.

page 205

page 206

Preparing a Real-Time Report on page 116

includes the common options that you specify for all Real-Time Reports. Check Point Policy reports do not include the common options shared by other Real-Time Reports.

Optional filter operators are different for each Enterprise Content Management report, and explained in their respective sections.

For information on saving the generated report, see Saving a Generated Report on page 119

.

User Guide

204

| Chapter 6 Generating Real-Time Reports

ECM Activity Reports

To search for and generate a report on ECM activity use the ECM Activity

Real-Time Report.

Menu path: home: Reports > Enterprise Content Management Reports > ECM

Activity

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source

Device, Source Device IP, Performer Name, Parent Name, Event, and Count:

Table 94 ECM Activity Report Optional Filter Operators

Option

Source Device

Description

Device that sent these log messages

Source Device IP IP address of the device that exercised the policy

Performer Name

Parent Name

Object Name

Event

Event Name

Source Name

Source IP

Destination IP

Source Port

Destination Port

Protocol

Count

Name of the performer

Name of the parent

Name of the object that was acted on

The type of event

Name of the event

Name of the source host device

IP address of the source host

IP address that was targeted

Port ffrom which the attack originated

Port that was targeted

Protocol of the destination devce

Number of attacks

For information on saving the generated report, see

Saving a Generated Report on page 119

.

User Guide

Enterprise Content Management |

205

Content Management Reports

To search for and generate a report containing logs of events which correspond to some action done on the contents of the site use the Content Management

Real-Time Report.

Menu path: home: Reports > Enterprise Content Management Reports >

Content Management

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source

Device, Source Device IP, Performer Name, Parent Name, Objec tType, Event, and

Count:

Table 95 Content Management Report Optional Filter Operators

Option

Source Device

Description

Device that sent these log messages

Source Device IP IP address of the device that exercised the policy

Performer Name

Parent Name

Object Type

Object Name

Event

Event Name

Source Name

Count

Name of the performer

Name of the parent

Type of object that was acted on

Name of the object that was acted on

The type of event

Name of the event

Name of the source host device

Number of attacks

For information on saving the generated report, see Saving a Generated Report on page 119

.

Security Settings Reports

To search for and generate a report containing logs of all the events related to creation, deletion, modification of user/group/roles use the Security Settings

Real-Time Report.

User Guide

206

| Chapter 6 Generating Real-Time Reports

Menu path: home: Reports > Enterprise Content Management Reports >

Security Settings

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source

Device, Source Device IP, Performer Name, Parent Name, Event, and Count:

Table 96 Security Settings Report Optional Filter Operators

Option

Source Device

Description

Device that sent these log messages

Source Device IP

Performer Name

Parent Name

Object Name

Event

Event Name

Source Name

Count

IP address of the device that exercised the policy

Name of the performer

Name of the parent

Name of the object that was acted on

The type of event

Name of the event

Name of the source host device

Number of attacks

For information on saving the generated report, see

Saving a Generated Report on page 119

.

Expiration and Disposition Reports

To search for and generate a report containing logs of all events related to object expiration and dispostion approvals use the Expiration and Disposition

Real-Time Report.

Menu path: home: Reports > Enterprise Content Management Reports >

Expiration and Disposition

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

User Guide

Enterprise Content Management |

207

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source

Device, Source Device IP, Performer Name, Parent Name, Object Name, Event,

Event Name, and Count:

Table 97 Expiration and Dispostion Report Optional Filter Operators

Option

Source Device

Description

Device that sent these log messages

Source Device IP

Performer Name

Parent Name

Object Name

Event

Event Name

Source Name

Count

IP address of the device that exercised the policy

Name of the performer

Name of the parent

Name of the object that was acted on

The type of event

Name of the event

Name of the source host device

Number of attacks

For information on saving the generated report, see Saving a Generated Report on page 119

.

User Guide

208

| Chapter 6 Generating Real-Time Reports

HP NonStop Audit

To search for and generate reports on information about HP NonStop systems and generate Audit and EMS log data , use HP NonStop Audit reports.

The Report Information tab that appears when you click on home: Reports > HP

NonStop Audit Reports

lists which reports are available for each log source.

To access HP NonStop Audit Reports

Choose home: Reports > HP NonStop Audit Reports > report-name from the navigation menu, where report-name is one of:

Table 98 HP NonStop Audit Reports

Report

Configuration

Changes

Reports Provide

Use the Configuration Changes screen to generate a report for all configuration changed done on an HP NonStop server during a specified time.

Page

page 209

Failed and

Successful Logins

Object Changes

HP NonStop Audit

Activity

User Actions

Object Access

Use the Failed and Successful Logins screen to generate a report for all successful and failed logins on an HP NonStop Audit server.

Use the Object Changes screen to generate a report for all objects that are accessed on an HP

NonStop Audit server.

Use the HP NonStop Audit Activity screen to generate a report for all audit activities on an

HP NonStop Audit server

Use the User Actions screen to generate a report for all user actions done on an HP

NonStop Audit server.

Use the Object Access screen to generate a report for a list of all objects created, deleted, or modified on an HP NonStop Audit server.

page 210 page 210

page 211

page 213

page 214

Preparing a Real-Time Report on page 116

includes the common options that you specify for all Real-Time Reports.

Optional filter operators are different for each HP NonStop Audit report, and explained in their respective sections.

User Guide

HP NonStop Audit |

209

For information on saving the generated report, see Saving a Generated Report on page 119

.

Configuration Changes Reports

To search for and generate a report on all configuration changes done on an HP

NonStop server during a specified time use the Configuration Changes Real-Time

Report.

Menu path: home: Reports > HP NonStop Audit Reports > Configuration

Changes

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source

Device, User Name, Creator User Name, Target User, Event Name, Action, Status, and Count:

Table 99 Configuration Changes Report Optional Filter Operators

Option

Source Device

Description

Device that sent these log messages

User Name Name of the user making the inquiry

Creator User Name

Target User

User Group

Reported Time

Process Name

Event Name

Object Type

Action

Status

Count

Username of the creator

User for whom the inquiry is being made

Name of the group

Time the event was reported

Name of the process

Name of the event

Type of object that was acted on

Action taken

Status of the connection

Number of attacks

User Guide

210

| Chapter 6 Generating Real-Time Reports

For information on saving the generated report, see

Saving a Generated Report on page 119

.

Failed and Successful Logins Reports

To search for and generate a report for all successful and failed logins on an HP

NonStop Audit server use the Failed and Successful Logins Real-Time Report.

Menu path: home: Reports > HP NonStop Audit Reports > Failed and

Successful Logins

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source

Device, User Name, Creator User Name, Target User, Event Name, Action, Status, and Count:

Table 100 Failed and Successful Logins Report Optional Filter Operators

Option

Source Device

Description

Device that sent these log messages

User Name Name of the user making the inquiry

Creator User Name

Target User

User Group

Reported Time

Process Name

Event Name

Object Type

Action

Status

Count

Username of the creator

User for whom the inquiry is being made

Name of the group

Time the event was reported

Name of the process

Name of the event

Type of object that was acted on

Action taken

Status of the connection

Number of attacks

For information on saving the generated report, see

Saving a Generated Report on page 119

.

User Guide

HP NonStop Audit |

211

Object Changes Reports

To search for and generate a report for all objects that are accessed on an HP

NonStop Audit server use the Object Changes Real-Time Report.

Menu path: home: Reports > HP NonStop Audit Reports > Object Changes

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

YYou can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source

Device, User Name, Creator User Name, Target User, Event Name, Action, Status, and Count:

Table 101 Object Changes Report Optional Filter Operators

Option

Source Device

Description

Device that sent these log messages

User Name Name of the user making the inquiry

Creator User Name

Target User

User Group

Reported Time

Process Name

Event Name

Object Type

Action

Status

Count

Username of the creator

User for whom the inquiry is being made

Name of the group

Time the event was reported

Name of the process

Name of the event

Type of object that was acted on

Action taken

Status of the connection

Number of attacks

For information on saving the generated report, see Saving a Generated Report on page 119

.

User Guide

212

| Chapter 6 Generating Real-Time Reports

HP NonStop Audit Activity Reports

To search for and generate a report for all audit activities on an HP NonStop

Audit server use the HP NonStop Audit Activity Real-Time Report.

Menu path: home: Reports > HP NonStop Audit Reports > HP NonStop Audit

Activity

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source

Device, User Name, Creator User Name, Target User, Event Name, Action, Status, and Count:

Table 102 HP NonStop Audit Activity Report Optional Filter Operators

Option

Source Device

Description

Device that sent these log messages

User Name Name of the user making the inquiry

Creator User Name

Target User

User Group

Reported Time

Process Name

Event Name

Object Type

Action

Status

Count

Username of the creator

User for whom the inquiry is being made

Name of the group

Time the event was reported

Name of the process

Name of the event

Type of object that was acted on

Action taken

Status of the connection

Number of attacks

For information on saving the generated report, see

Saving a Generated Report on page 119

.

User Guide

HP NonStop Audit |

213

User Actions Reports

To search for and generate a report for all user actions done on an HP NonStop

Audit server use the User Actions Real-Time Report.

Menu path: home: Reports > HP NonStop Audit Reports > User Actions

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source

Device, User Name, Creator User Name, Target User, Event Name, Action, Status, and Count:

Table 103 User Actions Report Optional Filter Operators

Option

Source Device

Description

Device that sent these log messages

User Name Name of the user making the inquiry

Creator User Name

Target User

User Group

Reported Time

Process Name

Event Name

Object Type

Action

Status

Count

Username of the creator

User for whom the inquiry is being made

Name of the group

Time the event was reported

Name of the process

Name of the event

Type of object that was acted on

Action taken

Status of the connection

Number of attacks

For information on saving the generated report, see Saving a Generated Report on page 119

.

User Guide

214

| Chapter 6 Generating Real-Time Reports

Object Access Reports

To search for and generate a report for a list of all objects created, deleted, or modified on an HP NonStop Audit server use the Object Access Real-Time

Report.

Menu path: home: Reports > HP NonStop Audit Reports > Object Access

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source

Device, User Name, Creator User Name, Target User, Event Name, Action, Status, and Count:

Table 104 Object Access Report Optional Filter Operators

Option

Source Device

Description

Device that sent these log messages

User Name Name of the user making the inquiry

Creator User Name

Target User

User Group

Reported Time

Process Name

Event Name

Object Type

Action

Status

Count

Username of the creator

User for whom the inquiry is being made

Name of the group

Time the event was reported

Name of the process

Name of the event

Type of object that was acted on

Action taken

Status of the connection

Number of attacks

For information on saving the generated report, see

Saving a Generated Report on page 119

.

User Guide

IBM z/OS Activity |

215

IBM z/OS Activity

To search for and generate reports on information about IBM z/OS system generated operational and audit logs in binary format , use IBM z/OS Activity reports.

The Report Information tab that appears when you click on home: Reports > IBM

z/OS Activity Reports

lists which reports are available for each log source.

To access IBM z/OS Activity Reports

Choose home: Reports > IBM z/OS Activity Reports > report-name from the navigation menu, where report-name is one of:

Table 105 IBM z/Activity Reports

Report

Resource Access

Reports Provide

Use the Resource Access screen to generate a report for resource access on z/OS.

Page

page 216

Security

Modifications

System

Access/Configurati on

Unix System

Services

Login/Logout

Violation

Use the Security Modification screen to generate a report for security modification on z/OS.

Use the System Access/ Configuration screen to generate a report for access and configuration on z/OS.

Use the Unix System Services screen to generate a report for Unix system services on z/OS.

Use the Login/Logout screen to generate a report for login and logout activities on z/OS.

Use the Violation screen to generate a report for violation activities on z/OS.

page 217

page 218 page 218

page 219

page 220

Preparing a Real-Time Report on page 116

includes the common options that you specify for all Real-Time Reports.

Optional filter operators are different for each IBM z/OS report, and explained in their respective sections.

For information on saving the generated report, see Saving a Generated Report on page 119

.

User Guide

216

| Chapter 6 Generating Real-Time Reports

Resource Access Reports

To search for and generate a report on resource access on z/OS use the Resource

Access Real-Time Report.

Menu path: home: Reports > IBM z/OS Activity > Resource Access

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source

Device, Record Type Description, Action, Status, and Count:

Table 106 Resource Access Report Optional Filter Operators

Option

Source Device

Description

Device that sent these log messages

Record Type ID The ID of the record type

Record Type

Description

Description of the record type

SubType Description Description of the sub type

Event Type Type of event in the journal type

Logon ID/User ID

Job Name

Target Object Name

Target Object Type

Action

A user ID or login ID involved in the recorded event

Name of the journal job or the job that was the target of the action described in the entry

Name of the object that was acted on

Type of target object that was acted on

Action taken

Status

Count

Status of the connection

A count of action attempts, entries, or other count information depentant on journal and entry type.

For information on saving the generated report, see

Saving a Generated Report on page 119

.

User Guide

IBM z/OS Activity |

217

Security Modifications Reports

To search for and generate a report for security modification activities on z/OS use the Security Modifications Real-Time Report.

Menu path: home: Reports > IBM z/OS Activity > Security Modifications

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source

Device, Record Type Description, Event Type, Action, Status, and Count:

Table 107 Security Modifications Report Optional Filter Operators

Option

Source Device

Description

Device that sent these log messages

Record Type ID The ID of the record type

Record Type

Description

Description of the record type

SubType Description Description of the sub type

Event Type Type of event in the journal type

Logon ID/User ID

Job Name

Target Object Name

Target Object Type

Action

A user ID or login ID involved in the recorded event

Name of the journal job or the job that was the target of the action described in the entry

Name of the object that was acted on

Type of target object that was acted on

Action taken

Status

Count

Status of the connection

A count of action attempts, entries, or other count information depentant on journal and entry type.

For information on saving the generated report, see Saving a Generated Report on page 119

.

User Guide

218

| Chapter 6 Generating Real-Time Reports

System Access/Configuration Reports

To search for and generate a report for access and configuration activities on z/OS use the System Access/Configuration Real-Time Report.

Menu path: home: Reports > IBM z/OS Activity > System Access/Configuration

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source

Device, Record Type Description, Event Type, Action, Status, and Count:

Table 108 System Access/Configuration Report Optional Filter Operators

Option

Source Device

Description

Device that sent these log messages

Record Type ID The ID of the record type

Record Type

Description

Description of the record type

SubType Description Description of the sub type

Event Type Type of event in the journal type

Logon ID/User ID

Job Name

Action

Status

Count

A user ID or login ID involved in the recorded event

Name of the journal job or the job that was the target of the action described in the entry

Action taken

Status of the connection

A count of action attempts, entries, or other count information depentant on journal and entry type.

For information on saving the generated report, see

Saving a Generated Report on page 119

.

Unix System Services Reports

To search for and generate a report for Unix system services on z/OS use the Unix

System Services Real-Time Report.

Menu path: home: Reports > IBM z/OS Activity > Unix System Services

User Guide

IBM z/OS Activity |

219

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source

Device, Record Type Description, Event Type, Action, Status, and Count:

Table 109 Unix System Services Report Optional Filter Operators

Option

Source Device

Description

Device that sent these log messages

Record Type ID

Record Type

Description

The ID of the record type

Description of the record type

SubType Description Description of the sub type

Event Type

Logon ID/User ID

Job Name

Type of event in the journal type

A user ID or login ID involved in the recorded event

Name of the journal job or the job that was the target of the action described in the entry

Target Object Name

Target Object Type

Action

Status

Count

Name of the object that was acted on

Type of target object that was acted on

Action taken

Status of the connection

A count of action attempts, entries, or other count information depentant on journal and entry type.

For information on saving the generated report, see Saving a Generated Report on page 119

.

Login/Logout Reports

To search for and generate a report for login and logout activities on z/OS use the

Login/Logout Real-Time Report.

Menu path: home: Reports > IBM z/OS Activity > Login/Logout

User Guide

220

| Chapter 6 Generating Real-Time Reports

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source

Device, Record Type Description, Event Type, Action, Status, and Count:

Table 110 Login/Logout Report Optional Filter Operators

Option

Source Device

Description

Device that sent these log messages

Record Type ID

Record Type

Description

The ID of the record type

Description of the record type

SubType Description Description of the sub type

Event Type

Logon ID/User ID

Target User

Job Name

Type of event in the journal type

A user ID or login ID involved in the recorded event

User for whom inquiry is being made

Name of the journal job or the job that was the target of the action described in the entry

Action taken Action

Status

Count

Status of the connection

A count of action attempts, entries, or other count information depentant on journal and entry type.

For information on saving the generated report, see

Saving a Generated Report on page 119

.

Violation Reports

To search for and generate a report for violation activities on z/OS use the

Violation Real-Time Report.

Menu path: home: Reports > IBM z/OS Activity > Violation

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

User Guide

IBM z/OS Activity |

221

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source

Device, Record Type Description, Event Type, Action, Status, and Count:

Table 111 Violation Report Optional Filter Operators

Option

Source Device

Description

Device that sent these log messages

Record Type ID

Record Type

Description

The ID of the record type

Description of the record type

SubType Description Description of the sub type

Event Type

Logon ID/User ID

Target User

Job Name

Type of event in the journal type

A user ID or login ID involved in the recorded event

User for whom inquiry is being made

Name of the journal job or the job that was the target of the action described in the entry

Name of the object that was acted on Target Object Name

Target Object Type

Violation Ocurred

Type of target object that was acted on

Action

Status

Count

Action taken

Status of the connection

A count of action attempts, entries, or other count information depentant on journal and entry type.

For information on saving the generated report, see Saving a Generated Report on page 119

.

User Guide

222

| Chapter 6 Generating Real-Time Reports

Storage Systems Activity

To search for and generate reports on information about file and directory access, use Storage Systems Activity reports.

The Report Information tab that appears when you click on home: Reports >

Storage Systems Activity Reports

lists which reports are available for each log source.

To access Storage Systems Activity Reports

Choose home: Reports > Storage Systems Activity Reports > report-name from the navigation menu, where report-name is one of:

Table 112 Storage Systems Activity Reports

Report

Filer Access

Reports Provide

Use the Filer Access screen to generate a report for individual file and directory access events such as; user, timestamp, result, etc. on z/OS.

Page

page 222

Preparing a Real-Time Report on page 116

includes the common options that you specify for all Real-Time Reports.

Optional filter operators are different for each Storage Systems Activity report, and explained in their respective sections.

For information on saving the generated report, see

Saving a Generated Report on page 119

.

Filer Access Reports

To search for and generate a report

f

or individual file and directory access events use the Filer Access Real-Time Report.

Menu path: home: Reports > Storage Systems Activity > Filer Access

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

User Guide

Storage Systems Activity |

223

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source

Device, User, Filer IP, Filer Name, Action, Status, and Count:

Table 113 Filer Access Report Optional Filter Operators

Option

Source Device

Description

Device that sent these log messages

User

Source IP

Target User

Filer IP

Filer Name

Action

Status

Count

User who is making the inquiry

IP address of the source host device

User for whom inquiry is being made

IP address of the filer name of the filer

Action taken

Status of the connection

Number of connections

For information on saving the generated report, see Saving a Generated Report on page 119

.

User Guide

224

| Chapter 6 Generating Real-Time Reports

Flow Activity

To search for and generate reports on information about application usage, user browsing and top users, use Flow Activity reports.

The Report Information tab that appears when you click on home: Reports >

Flow Activity Reports

lists which reports are available for each log source.

To access Flow Activity Reports

Choose home: Reports > Flow Activity Reports > report-name from the navigation menu, where report-name is one of:

Table 114 Flow Activity Reports

Report

Application Usage

Reports Provide

Use the Application Usage screen to generate a report for application usage seen across all traffic.

User Browsing

Statistics

Use the User Browsing Statistics screen to generate a report for site destination statistics by user.

Top Users Use the Top Users screen to generate a report for top traffic users.

Page

page 224

page 225

page 226

Preparing a Real-Time Report on page 116

includes the common options that you specify for all Real-Time Reports.

Optional filter operators are different for each Flow Activity report, and explained in their respective sections.

For information on saving the generated report, see

Saving a Generated Report on page 119

.

Application Usage Reports

To search for and generate a report for application usage seen across all traffic use the Application Usage Real-Time Report.

Menu path: home: Reports > Flow Activity > Application Usage

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

User Guide

Flow Activity |

225

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source

Device, Time, Category, Application Name, Bar Graph, Percentage, Total Traffic, and Count:

Table 115 Application Usage Report Optional Filter Operators

Option

Source Device

Description

Device that sent these log messages

Time

Category

Application Name

Bar Graph

Percentage

Total Traffic

Count

Time of connection

The type of category

Name of the application

Percentage of total bytes represented as a bar graph

Number of bytes represented as a percentage

Total amount of traffic

Number of connections

For information on saving the generated report, see Saving a Generated Report on page 119

.

User Browsing Reports

To search for and generate a report for site destination statistics by user use the

User Browsing Statistics Real-Time Report.

Menu path: home: Reports > Flow Activity > User Browsing Statistics

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source

Device, Time, User IP, Destination Name, and Number of times Accessed:

Table 116 User Browsing Statistics Report Optional Filter Operators

Option

Source Device

Description

Device that sent these log messages

Time Time of connection

User Guide

226

| Chapter 6 Generating Real-Time Reports

Table 116 User Browsing Statistics Report Optional Filter Operators (Cont’d)

Option

User IP

Description

IP address of the user making the inquiry

Destination Address IP address that was targeted

Number of times

Accesses

The number of times accessed

For information on saving the generated report, see

Saving a Generated Report on page 119

.

Top Users Reports

To search for and generate a report for top traffic users use the Top Users

Real-Time Report.

Menu path: home: Reports > Flow Activity > Top Users

In addition to setting the common report options in

Preparing a Real-Time Report on page 116

, you can select optional filter operators in the generated report.

You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source

Device, Time, User IP, Bar Graph, Percentage, Total Traffic, and Count:

Table 117 Top Users Report Optional Filter Operators

Option

Source Device

Description

Device that sent these log messages

Time Time of connection

Category

User IP

Bar Graph

Percentage

Total Traffic

Count

The type of category

IP address of the user making the inquiry

Percentage of total bytes represented as a bar graph

Number of bytes represented as a percentage

Total amount of traffic

Number of connections

User Guide

Flow Activity |

227

For information on saving the generated report, see Saving a Generated Report on page 119

User Guide

228

| Chapter 6 Generating Real-Time Reports

All Saved Reports

The All Saved Reports screen displays a list of all saved reports for specific types of data based on search expressions and time intervals you have defined and saved in the past. All saved searches and types, such as Index Search, RegEx

Search, Index Report, etc., that are stored in the system are visible on this page as shown below.

You may click the Run icon and regenerate the report with a different time range, or click the Edit icon and change the saved report parameters before rerunning the report. All options are available, not just the ones originally selected. You may customize the new report using new filters and wildcards. You can also filter the list of saved reports displayed by title or by typing a key word from the report title in the Find field and pressing Enter. The key word or words will be highlighted in the resulting list. To restore the full list of saved reports, clear the

Find

field and press Enter again.

For more information on saving the generated report, see Saving a Generated

Report on page 119

.

User Guide

Setting User Preferences |

229

Chapter 7

Setting User Preferences

The admin tab on the home page allows you to set values for your Account

Information, System Preferences

, and to Change Password.

Topics

Viewing Your LogApp Account on page 230

Changing Login Landing Page on page 231

Changing LogApp Account Password on page 232

User Guide

230

| Chapter 7 Setting User Preferences

Viewing Your LogApp Account

To view your LogApp Account

1. Choose admin from the home page.

2. Review and accept or change the default settings as explained in

Table 118

.

Table 118 Account Options

Element

Account Information

Description

User Login

Email Address

The login name of the current user. This can be reset by the system administrator or user.

The email address of the current user. This can be reset by the system administrator or user.

System Preferences

Rows per Page

Page Refresh Rate

Emailed Chart Size

Session Timeout

The number of rows that display in each report page. Can be set from 10 to 1000 rows by user.

The page refresh rate in seconds. Can be set from 30 to 600 seconds by user.

The number of segments in display charts. Can be set from 3 to

30 segments by user.

Session Timeout can be set from 5 to 300 minutes by user. The default is 300 minutes (5 hours).

Enable Multiline

View

Checking this checkbox enables display of multiple lines in PDF and HTML reports.

Login Landing Page The page that appears immediately after logging into the LMI

Appliance. You can change this at any time. For instructions, see

Changing Login Landing Page on page 231 .

3. Click Save.

User Guide

Changing Login Landing Page |

231

Changing Login Landing Page

The Login Landing Page (Home) appears immediately upon logging in to the

LMI Appliance. By default the LogLogic Overview Welcome screen is displayed.

However, you can change your landing page at anytime.

To change your login landing page

1. Choose admin from the home page.

2. Click the down arrow next to Login landing page and select the page among these other landing page options: My Dashboard, System Status, Triggered

Alerts, Index Search, All Saved Reports, and All Saved Searches.

3. Click Save.

The next time you login to the Appliance, the alternate home page that you selected in this step will be displayed. You can change this destination at anytime.

User Guide

232

| Chapter 7 Setting User Preferences

Changing LogApp Account Password

You can change your password at any time.

To change your password

1. Choose admin from the home page.

2. Click the Change Password button.

3. The Change Password dialog box appears. It displays date of last password update.

4. In the Current Password field, enter your current password.

5. In the New Password field, enter your new password. Note the password requirements specified on the window.

6. In the Confirm New Password field, enter your new password again for verification.

User Guide

Appendix A

Syslog Host Field Character Sets |

233

Syslog Host Field Character Sets

This appendix describes the acceptable character sets in an ASCII syslog header.

Topics

Syslog Header Character Sets on page 234

Exceptions on page 235

User Guide

234

| Appendix A Syslog Host Field Character Sets

Syslog Header Character Sets

The following table lists and describes the acceptable characters in an ASCII syslog header.

Table 119 Acceptable Alpha/Numeric Character Sets

Character Descriptions

Alpha chars, upper or lower case

Examples

A-Z and a-z

Numbers

Punctuation

0-9 at @ underscore _ period .

backslash / colon : asterisk * brackets [ ] parenthesis ( ) plus + minus space tab

User Guide

Exceptions |

235

Exceptions

The following exceptions are noted for ASCII syslog headers:

• Some Unix/Linux syslog messages have a path in the process name. That is taken care of by looking for a leading backslash (/) and any number of the following characters:

— Alpha characters, upper or lower case

A-Z a-z

— The numbers 0-9

— Punctuation including: underscore _ period .

dash -

• Space and tab use depends on the log source. Some log sources have spaces at the point right before the log source target string is found. Others have only a tab. Specifically:

— Windows messages require a space before the target string.

— Cisco VPN3000 requires a tab.

User Guide

236

| Appendix A Syslog Host Field Character Sets

User Guide

Index

A

Accepted Connections

Real-Time report 174

Access Control

Real-Time report 125

Active FW Connections

Real-Time report 175

Active VPN Connections

Real-Time report 176

alert receivers

defining alert 112

Alert Viewer

using 100 viewing alerts 100

Alert Widgets 47

alerts

about 99

add new alert rule 108

add new template format 102 adding 102, 106, 108

delete template 106

manage alert templates 102

managing 107

modifying alert rules 114

parsed data alert 113

removing alert rules 114

tab description 107

view and modify templates 106

All Database Events

Real-Time report 135, 141

All Unparsed Events

Real-Time report 192, 193

appliances

introducing 16

system status 22

Application Distribution

Real-Time report 177

B

Boolean expression, entering 62

C

change LogApp account password 232

change Login Landing Page 231

Check Point Policy

Real-Time report 199 tab description 199 using 199

clipboard

adding a new 75 index search 75

configuring result settings 67

Connectivity

Real-Time report 172

CPU Usage

tab description 31

viewing 30

customer support 13

D

Dashboard 40

Dashboard settings 50

Database Access

Real-Time report 136

Database Activity

Real-Time report 134

Database Data Access report 137

Database Privilege Modifications

Real-Time report 138

User Guide

|

237

238

|

Database System Modifications

Real-Time report 139

Denied Connections

Real-Time report 178

devices

defining alert 111

Distributed RegEx Search 81

E

Event Logs

Real-Time reports 191

examples index search 62 exceptions

syslog header 235

Exchange 2000/03 SMTP Activity 164

Exchange 2000/03 SMTP Activity Report 165

expressions index search, entering 62

F

filters

saving index search 75

Finished Search

tab description 85 using 85

FTP Connections

Real-Time report 180

G

groups

global, in regex search 79

I

IBM i5/OS Activity Reports

Real-Time report 140

IDS

Real-Time report 154, 155, 156, 157, 159, 160, 161, 162

IDS Activity

Real-Time report 155

index report 96

Index Search

saving as a filter 74

index search 62, 95

adding a new clipboard for 75 clipboard 75

Clipboard tab 75

configure results settings 67

examples 62

filter, reusing 75 filters 75

manage results 69

results 65

results, viewing in context 70

running 63

Search Filters tab 75

Search History tab 73

Search Results tab 65

using 62

using history 73

viewing trends 71

index search expression rules 62

index search filters 75

L

log messages

deleting clipped 77

viewing or editing 76

Log Source Status

tab description 32 viewing 32

Login Landing Page 231

LogLogic product families 18

LX appliances 18

User Guide

M

Mail Activity

Real-Time report 164, 165, 167

Mail Delay

Real-Time report 166, 169

Mail Size

Real-Time report 168, 170

Manage Widgets 40

Alerts 47

Summary 41

System 49

Trend 44

management station

viewing system status 27

managing search results 69

message rate

viewing 29

MX appliances 19

My Dashboard 39

N

network infrastructure 20

Network Policies

Real-Time report 199, 201, 204, 205, 206, 209, 210,

211, 212, 213, 214, 216, 217, 218

P

Parameterized Pre-defined Regular Expression Search

Filters 92

parsed data alerts 113

Pending Search

tab description 83, 84

using 84

Permission Modification

Real-Time report 126

Policy reports

Real-Time report 198

product families 18

R

Real-Time reports

about 115

Access Control reports 125

common options 116

Connectivity reports 172

Database Activity reports 134

event logs 191

generating 116

IBM i5/OS activity reports 140

IDS reports 154

Mail Activity reports 164

Policy reports 198

Real-Time Viewer

creating reports 52

Log Messages screen 56

saving reports 52 using 52

Recent Messages

tab description 36 viewing 36

regular expression (RegEx) search 79

regular expression (regex) search

view pending searches 84

view running searches 83

related documents 10

results index search, index search

In Context tab 70

rules, index search expression 62

Rules/Policies

Real-Time report 200

Running Search

using 83

User Guide

|

239

240

|

S

search

about 59

all index searches 95

Distributed RegEx Search 81

features overview 60

index report 96

index search 62

index, running 63

regular expression (RegEx) 79

Search Filters

adding new 86

modifying 94

overview 86 tab description 86

Search IP Address

saving a report 80

Security Events

Real-Time report 194

ST appliances 19

Summary Widgets 41

support, contacting 13

Syslog Header character sets 234

System Events

Real-Time report 195

System Object Access

Real-Time report 143

system status

viewing 22

viewing (management station) 27

System Widgets 49

T

technical support 13

templates

defining alert 112

TIBCO_HOME 11

Trend Widgets 44

trends

viewing 71

User Guide

U

Unapproved Messages

tab description 35 viewing 35

User Access

Real-Time report 127

User Access By Connection

Real-Time report 146

User Actions

Real-Time report 148

User Authentication

Real-Time report 128

User Jobs

Real-Time report 151

User Last Activity

Real-Time report 130

user roles 17

users

defining alert 112

Users Created/Denied

Real-Time report 129

V

view LogApp account 230

viewing

clipped log messages 76

viewing in context 70

viewing search results 65

VPN Access

Real-Time reports 181

VPN Events

Real-Time report 196

VPN Sessions

Real-Time report 182

VPN/RADIUS Top Lists

Real-Time report 183

W

Web Cache

Real-Time report 184

Web Surfing

Real-Time report 185, 186, 187, 188, 189

Widgets 39

Window Events

Real-Time report 132

|

241

User Guide

advertisement

Key Features

  • Real-time log data collection and analysis
  • Analyze and archive network log data
  • Decision support for network security remediation
  • Increased network performance and improved availability
  • Simplify, automate, and reduce the cost of log data aggregation and retention
  • Eliminates the need for servers, tape libraries, and archival administrators

Frequently Answers and Questions

What are the primary user types on a LogLogic Appliance?
There are two primary user types on a LogLogic Appliance: User and Administrator. A User monitors Appliance operations, runs searches, manages alerts, and creates and runs reports based on collected data. An Administrator configures and maintains the Appliance itself, including managing log sources, user accounts, Appliance configurations, running backups, and more.
What are the four families of LogLogic products?
LogLogic offers four families of products to provide better, faster and smarter log management, database security, and regulatory compliance solutions to corporations: LogLogic LX Appliances, LogLogic MX Appliances, LogLogic ST Appliances, and LogLogic Appliances.
What are some of the benefits of using LogLogic Appliances?
LogLogic Appliances provide the highest log collection and analysis performance amongst all log management vendors. Log events are received and indexed in real-time.

Related manuals

Download PDF

advertisement

Table of contents